Credential stuffing is the automated injection of stolen username (typically emails) and password pairs in order to gain unauthorized access to user accounts. Using automation tools, large numbers of compromised credentials are automatically entered into an application (typically a Web application) until success is achieved. Once account takeover is achieved, account data can be stolen, fraudulent transactions initiated, or the account can be used for other nefarious activities.
An important enabler for credential stuffing is the tendency of users to reuse passwords across more than one application. As a result, compromised credentials from one application can be used to access other applications.
Credential stuffing attacks can involve the use of botnets that use automated scripts to try to access an account until a legitimate set of credentials permit the hijacking of at least one account.