New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

Credential stuffing

December 16, 2025

Credential stuffing

Main conclusions

  • "Credential stuffing" is a simple but effective attack that consists of massively testing lists of usernames and passwords (that have leaked from site A) on many other sites (B, C, D...).
  • Its success is based on the widespread tendency of users to reuse the same passwords across different services.
  • The ultimate goal is "Mailaccess", that is, taking control of accounts for various uses (fraud, theft of services, identity theft, resale of data).

The attack is structured around four main elements:

  1. Automation software (e.g., SilverBullet).
  2. Combolist (the list of identifiers to test).
  3. Configuration (the script telling the software how to target a specific site).
  4. Proxy (to mask the attacker's IP address).

Why is this threat so widespread?

  • Very high accessibility The technical barrier to launching an attack is extremely low. All that's needed is to assemble the components.
  • industrialized process The ease of use of the tools and the explosion in the number of lists of identifiers (particularly via malware) infostealers) make these attacks easy to deploy on a large scale.

Security recommendations for businesses

  1. Technical defenses : Implement the’two-factor authentication (2FA) and CAPTCHA to block the robots.
  2. Detection & Blocking : Use of behavioral analysis tools to detect suspicious connections, which is more effective than simply blocking IP addresses (which may be shared or belong to legitimate infected users).
  3. Threat Intelligence :
    • Monitor data leaks to identify at-risk customer accounts.
    • Knowledge of trends: infiltrating groups dedicated to this fraud, monitoring the brands mentioned and targeted, staying informed about the latest software updates used by attackers
    • Analyze the configurations that target your own site to discover vulnerabilities.

Essential recommendation for users

  • Vary your passwords That's the defense. more[MM1]  effective. Use a unique password for each service This prevents a data leak on one site from compromising other accounts. While this may seem tedious, password managers simplify the process.


Intrinsec's CTI Services

Organizations are facing increasingly sophisticated malicious actors and intrusion techniques. To counter these constantly evolving threats, a proactive approach to detecting and analyzing any potentially malicious activity is now essential. This practical approach allows companies to anticipate, or at least react as quickly as possible to, the breaches they encounter.

For this report, shared with our clients in January 2025, Intrinsec relied on its Cyber Threat Intelligence service, which provides clients with high-value, contextualized, and actionable information to understand and contain cyber threats. Our CTI team consolidates data and information gathered by our security monitoring services (SOC, MDR, etc.), our incident response team (CERT-Intrinsec), and customized cyber intelligence generated by our analysts using custom heuristics, honeypots, threat hunting, reverse engineering, and pivoting.

Intrinsec also offers various services related to Cyber Threat Intelligence:

  • Risk anticipation: which can be leveraged to continuously adapt the detection and response capabilities of our clients' existing tools (EDR, XDR, SIEM, etc.) through:
    • an operational flow of IOCs based on our exclusive activities.
    • Threat intelligence notes and reports, compliant with the TIP standard.
  • Digital risk monitoring:
    • data leak detection and correction
    • External Asset Security Monitoring (EASM)
    • brand protection

For more information, visit intrinsec.com/en/cyber-threat-intelligence/.

Follow us on LinkedIn And X

Download the full report

Contact