The post 15 Costliest Credential Stuffing Attack Examples of the Decade (and the Authentication Lessons They Teach) appeared first on MojoAuth Blog – Passwordless Authentication & Identity Solutions.

Credential stuffing attacks have drained billions from businesses, triggered regulatory fines, and exposed hundreds of millions of users over the past ten years. They work because people reuse passwords, and because most login systems are still built to accept a username and password and ask no further questions. This article breaks down the 15 most damaging credential stuffing incidents since 2015, turns each one into a concrete lesson, and shows exactly where passwordless authentication would have changed the outcome.

Key Takeaways

• Credential stuffing exploits password reuse, not software vulnerabilities. The attack is cheap to run, hard to detect, and devastating at scale.

• Every incident below was enabled by one root cause: passwords that had already been exposed in a prior breach.

• Passwordless authentication (passkeys, hardware tokens, biometric-bound credentials) makes credential stuffing structurally impossible because there is no password to stuff.

• Regulators are now treating failure to defend against credential stuffing as negligence, not bad luck. Fines are growing.

• The pattern across all 15 cases is identical. Stop the pattern, and you stop the breach.

What Is a Credential Stuffing Attack, and Why Does It Keep Working?

Credential stuffing is automated account takeover. Attackers buy or download lists of username-and-password pairs leaked in previous breaches, then fire them at a new target using bots that can test thousands of combinations per minute. If a user reused their password, the bot logs in. Simple. Scalable. Alarmingly effective.

The success rate for credential stuffing is typically 0.1% to 2%. That sounds low until you realize attackers are working from lists of 100 million credentials. Even a 0.1% hit rate returns 100,000 compromised accounts. Those accounts get sold, drained, or used for fraud within hours.

What keeps this working in 2025 is not sophisticated malware or nation-state tradecraft. It's the password itself. As long as users reuse passwords and companies keep accepting them as proof of identity, credential stuffing will keep producing results.

The 15 Worst Credential Stuffing Attack Examples of the Decade

1. Snowflake (2024): 165 Organizations Hit Through One Shared Weakness

In 2024, attackers used credentials stolen from information-stealing malware to access customer accounts on the Snowflake cloud data platform. Because Snowflake accounts in these cases lacked multi-factor authentication, valid usernames and passwords were all that was needed. More than 165 customer organizations were affected, including Ticketmaster, Santander, and AT&T. The attackers did not breach Snowflake's infrastructure. They walked in through the front door using credentials that worked.

The scale of downstream exposure was enormous. Ticketmaster alone saw 560 million records claimed by the attackers. Santander reported data on tens of millions of customers.

What passwordless would have changed: Without a password to steal and replay, the information-stealing malware would have collected nothing useful. A device-bound passkey or hardware token would have ended the attack at the credential layer.

2. 23andMe (2023): 6.9 Million Users and a Regulatory Fine That Set a Precedent

In October 2023, 23andMe confirmed that attackers used credential stuffing to access around 14,000 accounts. That sounds contained until you factor in the DNA Relatives feature. Because compromised accounts were opted into data sharing, the attackers were able to harvest profile data on roughly 6.9 million users from those initial 14,000 entry points. The exposed data included ancestry details, ethnicity estimates, and in some cases health-related genetic information.

The UK Information Commissioner's Office fined 23andMe £2.31 million in 2025 for failing to implement adequate protections against credential stuffing, including MFA. The ICO ruling was explicit: this was a foreseeable, preventable attack, and the company had not done enough to stop it.

This case matters for CISOs and board-level readers because it establishes a legal standard. Failure to protect against credential stuffing is no longer treated as an act of God. It is treated as negligence.

What passwordless would have changed: Passkeys are phishing-resistant and non-reusable. A credential stuffing list would have been useless against accounts authenticated with device-bound credentials.

3. Ticketmaster and Live Nation (2024): Supply Chain Credential Exposure

Ticketmaster's data was exposed as part of the broader Snowflake supply chain compromise described above, but the incident deserves its own entry because of the downstream consequences. A threat actor group called ShinyHunters claimed responsibility for exfiltrating 1.3 terabytes of data, including 560 million customer records covering names, addresses, phone numbers, and partial payment data.

The attack did not require a zero-day exploit or a sophisticated intrusion. A contractor's credentials, obtained via infostealer malware, were used to log in to a Snowflake environment that lacked MFA enforcement. The supply chain angle is critical: Ticketmaster's own security posture was partially irrelevant because the weak link was a third-party vendor's access credentials.

What passwordless would have changed: Hardware-bound passkeys cannot be harvested by malware. Even if the contractor's device was infected, there would have been nothing to steal and nothing to replay.

4. Disney+ Launch Day (2019): Account Takeover Within Hours of Launch

When Disney+ launched in November 2019, thousands of accounts were taken over within hours of the service going live. Cybersecurity researchers found compromised credentials being sold on dark-web marketplaces for as little as $3 to $11 per account. Disney confirmed no breach of its own systems. The attackers used credentials from other breaches to log in to newly created Disney+ accounts where users had, predictably, reused their passwords.

The speed of the attack was the story. Users had not even watched their first episode before their accounts were taken. This incident showed that credential stuffing bots are pre-positioned and ready to target any new high-value consumer platform the moment it goes live. See how account takeover prevention works at the authentication layer

What passwordless would have changed: Passkeys are tied to the specific site and device they were created on. A list of reused passwords from Netflix or Spotify accounts would have been completely useless.

5. Norton LifeLock (2023): 6,450 Accounts Breached at an Identity Protection Company

The irony is hard to miss. Norton LifeLock, a company whose core product is identity protection, disclosed in January 2023 that attackers had used credential stuffing to access approximately 6,450 customer accounts. The attack started with a list of username-and-password pairs obtained from other sources. Attackers tried them against Norton's login portal, and a significant number worked.

Norton notified affected customers and recommended they change their passwords and enable two-factor authentication. The breach was particularly damaging from a trust perspective. Customers who pay for identity protection expect their own credentials to be safeguarded. Norton did not suffer a technical breach of its infrastructure. The attack succeeded entirely because of password reuse.

What passwordless would have changed: A service built around identity security has the strongest possible argument for going passwordless first. Biometric-bound passkeys would have made this attack impossible regardless of what credentials attackers held.

6. Dunkin' Donuts and the FTC Settlement (2015-2019)

Dunkin' experienced multiple credential stuffing campaigns against its DD Perks loyalty program between 2015 and 2019. Attackers used automated tools to log in to accounts, drain stored value, and sell working credentials on underground markets. Dunkin' was aware of the attacks as early as 2015 but did not adequately notify affected customers or take sufficient protective measures.

The FTC sued Dunkin' over its handling of the incidents. The company settled in 2020, agreeing to implement a comprehensive information security program, notify customers of future incidents promptly, and submit to regular third-party security audits. The settlement is a useful reference point for anyone presenting this topic to a board: regulatory action over credential stuffing is not theoretical. It has already happened.

What passwordless would have changed: Loyalty programs are a high-value target because stored credit can be converted to cash. Passwordless authentication would have closed the entry point and made the DD Perks accounts structurally unattackable via stuffing.

7. PayPal (2022): Nearly 35,000 Accounts Hit Over Two Days

In December 2022, PayPal disclosed that credential stuffing attacks had compromised nearly 35,000 accounts between December 6 and December 8. Exposed data included full names, dates of birth, postal addresses, Social Security numbers, and individual tax ID numbers. PayPal confirmed the attacker used valid credentials obtained from external sources, not from any breach of PayPal's own systems.

The company reset passwords for affected accounts and offered two years of free identity monitoring. The incident is a reminder that financial services companies are always high-priority targets for credential stuffing because a compromised account means direct access to money. Explore enterprise-grade retaiauthentication solutions for retai services.

What passwordless would have changed: With FIDO2 passkeys, the attacker's credential list would have produced zero valid logins. No replay attack works if there is no shared secret to replay.

8. Amtrak Guest Rewards (2020): Loyalty Points and Personal Data at Risk

Amtrak notified customers in May 2020 that their Guest Rewards accounts had been accessed by unauthorized third parties. The company attributed the attack to credential stuffing using credentials obtained from other sources. The exposed data included names, contact information, partial payment data, and Guest Rewards point balances.

The Amtrak breach follows the standard loyalty program playbook: accumulated points represent real monetary value, and credential stuffing is the cheapest way to harvest them at scale. What made this incident notable was the breadth of personal data accessible once inside an account. Attackers did not just drain points; they had access to travel history and personal contact details.

What passwordless would have changed: A passkey-protected loyalty account has no shared secret that can be extracted from a data breach at a different company. The stuffing list simply finds no traction.

9. The North Face (2022): Retail Accounts Targeted for Stored Value

The North Face disclosed in August 2022 that a credential stuffing attack between July 26 and August 19 had accessed customer accounts on its website. Exposed information included full names, purchase histories, billing and shipping addresses, and reward points balances. The company reset passwords for all affected accounts and required customers to create new credentials on their next login.

Retail accounts are a growing target for credential stuffing because they combine stored payment methods, shipping addresses, and loyalty balances into one accessible location. The North Face incident mirrors a pattern seen across retail in this period: attackers moving from financial services targets toward consumer retail where security investment has historically been lower.

What passwordless would have changed: The attack was entirely dependent on passwords stolen from unrelated breaches. Remove the password, and the entire attack chain fails at the first step.

10. Okta Support Unit Compromise (2023): When the Identity Provider Gets Hit

In October 2023, Okta disclosed that attackers had gained access to its customer support case management system using stolen credentials. The attacker accessed files uploaded by Okta customers for support purposes, including HAR files that contained session tokens. Downstream customers including BeyondTrust and Cloudflare identified suspicious activity tied to the Okta compromise.

This incident sits in a special category because Okta is itself an identity and access management provider. When an identity provider's support environment is compromised, the blast radius extends to every customer organization that uses that provider. The initial access vector was a personal Google account on an Okta employee's device that had saved credentials in the browser, which were then stolen.

What passwordless would have changed: Browser-saved passwords are one of the most common sources for credential theft. A hardware-bound passkey stored in a secure enclave cannot be exfiltrated by malware scanning a browser's password store.

11. DraftKings (2022): Sports Betting Accounts Drained Within Hours

In November 2022, DraftKings CEO Jason Robins confirmed that approximately $300,000 had been drained from customer accounts following a credential stuffing attack. Attackers used credentials from other data breaches to log in to DraftKings accounts, changed email addresses and passwords to lock out the real owners, and then withdrew available balances.

The speed of the account takeover was striking. Customers reported being locked out of accounts and seeing withdrawals they did not authorize, all within a short window after attackers gained initial access. DraftKings said it believed the credentials had originated from a different company's breach. The company worked to make affected customers whole and tightened account security in response.

What passwordless would have changed: Passwordless authentication combined with device-binding would have flagged any login attempt from an unrecognized device immediately, regardless of credential validity.

12. Roku (2024): 576,000 Accounts Taken Over Across Two Incidents

Roku disclosed two separate credential stuffing incidents in 2024. The first, disclosed in March, affected 15,363 accounts. Before the investigation was complete, a second wave was discovered affecting approximately 576,000 additional accounts. In a small number of cases, attackers were able to purchase streaming subscriptions using stored payment methods.

Roku enabled two-factor authentication for all accounts following the second incident. The scale of the second wave, which was discovered only because Roku was already looking for suspicious activity after the first, illustrates how quickly these attacks can escalate once attackers identify a working target. The company's response was prompt, but the disclosure timeline showed how difficult it is to detect and contain stuffing attacks in real time.

What passwordless would have changed: FIDO2 passkeys prevent replay entirely. No credential list works against an account that authenticates with a device-bound cryptographic credential.

13. Internet Archive (2024): A Cultural Institution Hit by Credential Attacks

In October 2024, the Internet Archive confirmed it had been hit by multiple security incidents including a data breach affecting 31 million user records and a separate credential stuffing campaign against its Zendesk-based support system. The support system attack was particularly damaging: attackers used exposed API tokens, which had been publicly visible in a GitLab repository, to access support tickets and respond to users.

The Internet Archive is a nonprofit operating on constrained resources. Its experience is a useful reminder that credential stuffing and related attacks do not only target enterprises with deep pockets. Any public-facing authentication system is a target if it accepts reused credentials. The exposure of support ticket contents, including personal communications from users requesting takedowns, was a meaningful privacy harm.

What passwordless would have changed: Hardcoded and publicly exposed tokens are a different failure mode, but the credential stuffing angle on the support system would have been neutralized by phishing-resistant authentication for support staff.

14. Finastra and Banking Supply Chain Compromises (2024)

Finastra, a financial technology company serving over 8,000 financial institutions, disclosed in November 2024 that it had identified suspicious activity on its Secure File Transfer Platform. Attackers claimed to have accessed 400 gigabytes of data. Investigations pointed to compromised credentials as the initial access vector. The incident affected major banking clients and raised significant concerns about supply chain credential risk in the financial sector.

The banking supply chain is a high-value target because a single vendor compromise can cascade to dozens of financial institutions. When the weak link is a compromised credential used by a vendor employee or contractor, the entire downstream customer base is at risk. Read about zero-trust credential architecture for email otp .

What passwordless would have changed: If the compromised credentials were used in a stuffing or phishing campaign, a passkey-based login would not have been replayable. The attack would have stalled at the authentication layer.

15. 23andMe Genetic Data Exposure: The "Un-Breachable" Category

We return to 23andMe not to repeat the 2023 incident but to examine what makes genetic data a uniquely damaging credential stuffing target. When financial credentials are stolen, you can freeze a card, change a password, or reverse a transaction. When your genetic data is exposed, the information is permanent and irrevocable. No reset will change the genetic information associated with your profile.

The 2023 23andMe incident exposed what can only be described as an un-fixable category of personal data. Ancestry composition, health predisposition markers, and ethnic background are not like a password. They do not expire. They cannot be rotated. And for users who had opted into the DNA Relatives feature, data on millions of people who never made a direct decision to share their information was harvested from the accounts of those who did. Regulators noted this in the fine. The irreversibility of the harm raised the stakes of the failure.

What passwordless would have changed: Genetic data platforms have an especially strong argument for making passwordless authentication the default, not an optional setting. An account holding permanent, irreversible personal data should not be accessible to a bot running a credential list.

Why the Same Attack Has Worked 15 Times in a Row

Look at these 15 incidents side by side and the pattern is almost boring in its consistency. The attacker obtains a list of credentials from a prior breach. The target system accepts valid username-and-password combinations without additional friction. The attack succeeds.

There are variations in scale, industry, and downstream harm. But the root cause is the same every time. Passwords are shared secrets. Once they are exposed anywhere, they can be tried everywhere. And because humans reuse passwords across accounts, exposure at one site becomes a key to many others.

The security community has known this for years. Multi-factor authentication helps, and it has reduced the success rate of credential stuffing considerably for organizations that enforce it. But MFA is not the final answer. SMS-based MFA can be bypassed through SIM swapping. Push-notification MFA is vulnerable to fatigue attacks. And MFA adoption rates among consumer populations remain low enough that attackers can still find plenty of unprotected accounts.

The final answer is to eliminate the password entirely.

What Passwordless Authentication Actually Means for Account Takeover Prevention

Passwordless authentication using FIDO2 passkeys or hardware security keys works differently from everything attackers have learned to exploit. Instead of a shared secret (a password that both the user and the server know), authentication happens through a cryptographic key pair. The private key never leaves the user's device. The server only ever sees a signed challenge. There is nothing to steal from a breach list and nothing to replay against a login form.

This is not just a better version of passwords. It is a different category of authentication. Here is what changes for each of the common attack vectors:

Credential stuffing: No password exists to stuff. A list of username-and-password pairs from breaches at other companies produces zero successful logins.

Phishing: Passkeys are bound to the specific domain they were created on. A fake login page on a lookalike domain cannot receive a valid passkey response.

Password spray: No shared secret to spray. The attack has no mechanism to operate.

Brute force: There is no password field to brute force. The attack has no target.

The FIDO Alliance reports that passkeys have been adopted by Google, Apple, Microsoft, GitHub, PayPal, and hundreds of other platforms. The infrastructure exists. The question for security leaders is how quickly to make it the default rather than the option.

Frequently Asked Questions

What Is the Difference Between Credential Stuffing and a Data Breach?

A data breach is when attackers extract data directly from a company's systems, often through vulnerabilities, misconfigured databases, or insider access. Credential stuffing uses data from prior breaches at other companies and tries those credentials against a new target. The target company may have no vulnerability of its own. The attack succeeds entirely because of user password reuse. Many of the incidents above were not "breaches" of the target company's infrastructure at all. They were credential stuffing campaigns that succeeded because valid credentials were accepted.

Can Multi-Factor Authentication Stop Credential Stuffing?

MFA significantly reduces the success rate of credential stuffing, but it does not eliminate it. SMS-based MFA is vulnerable to SIM swapping and social engineering. App-based push notifications are vulnerable to MFA fatigue attacks, where attackers repeatedly prompt a user until they approve out of frustration or confusion. TOTP (time-based one-time passwords) are more resilient but can still be phished in real time. Only phishing-resistant MFA (FIDO2 passkeys, hardware tokens) provides structural protection against credential stuffing.

How Do Attackers Get the Credential Lists They Use?

Credential lists come from prior data breaches that have been sold or posted on underground markets and forums. Some lists are decades old and still contain millions of valid credentials because users have never changed their passwords. Infostealers, a category of malware that harvests saved passwords from browsers and applications, are also a major source of fresh credentials. Collections like "Collection #1" (released in 2019, containing 2.7 billion email-and-password combinations) circulate perpetually.

What Should a CISO Do Right Now to Reduce Credential Stuffing Risk?

The highest-impact steps in order of priority are: enforce phishing-resistant MFA (ideally passkeys) for all user-facing accounts; implement rate limiting and bot detection on all login endpoints; subscribe to a credential monitoring service that alerts you when your users' credentials appear in breach dumps; audit third-party vendor access to ensure contractors are not holding reusable passwords; and review loyalty and consumer accounts, which are frequently under-secured relative to corporate accounts.

Are Passwordless Solutions Ready for Enterprise Deployment?

Yes. Passkey support is built into iOS 16+, Android 9+, Windows 10+, and macOS Ventura and later. Major identity platforms including Okta, Microsoft Entra, and Ping Identity support FIDO2 passkeys. Enterprise deployment typically involves a phased rollout starting with high-risk accounts (administrators, finance teams, customer-facing systems) before moving to the full user population. The technical infrastructure is mature. The remaining barrier is process and change management, not technology readiness.

What Is the Largest Credential Stuffing Attack Ever Recorded?

By affected user count, the 23andMe breach (6.9 million users via 14,000 compromised seed accounts) and the Roku incidents (576,000 accounts in one wave) represent significant scale. The Snowflake supply chain attacks arguably represent the widest downstream impact, affecting over 165 customer organizations. The "largest" depends on whether you measure by direct account count, downstream data exposure, or financial harm. DraftKings lost $300,000 in direct withdrawals. 23andMe was fined £2.31 million by the UK ICO. Ticketmaster faced a $25 million settlement discussion related to the broader Snowflake incident.

Final Thoughts

Fifteen incidents. Fifteen variations on the same root cause. The password is the vulnerability, and every company that still relies on passwords as a primary authentication factor is, to some degree, running the same experiment these organizations ran, and waiting for the same result.

The good news is that the fix is deployable today. Passkeys are not a future technology or an emerging standard. They are shipping in consumer devices and enterprise identity platforms right now. If you want to take the first step toward making credential stuffing structurally impossible for your organization, download the Credential Stuffing Survival Guide to see Zero-Store passwordless authentication in action.

*** This is a Security Bloggers Network syndicated blog from MojoAuth Blog - Passwordless Authentication & Identity Solutions authored by MojoAuth Blog - Passwordless Authentication & Identity Solutions. Read the original post at: https://mojoauth.com/blog/15-costliest-credential-stuffing-attack-examples-of-the-decade-and-the-authentication-lessons-they-teach