What is password spraying or credential stuffing?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Imagine an attacker with a list of 50,000 email addresses and one very popular password: "Summer2024!". Instead of hammering one account until it locks, they try that single password against all 50,000 accounts quietly, then move on. That's password spraying. It's slow, distributed, and designed to fly under the radar of lockout systems.

Credential stuffing is a different but related attack. It doesn't guess passwords at all. It uses real ones. After a data breach, millions of actual username and password pairs get packaged and sold. Attackers then try those exact credentials across other services, banking on the fact that most people reuse passwords. (Spoiler: most people do.)

Both attacks are effective because of human habits, not technical failures. Password spraying exploits the fact that "Password123" or "Welcome1" is someone's actual password at nearly any large organization. Credential stuffing exploits the fact that if your password leaked from one site, there's a good chance it's the same password you use for your email, your ESP login, or your DNS provider.

That last one matters a lot for email deliverability. If an attacker gets into your ESP account, they can send spam through your domain's verified sender reputation. Your deliverability tanks before you even know it happened.

What actually helps against both attacks:

  • Unique passwords everywhere. A password manager makes this realistic. One breach shouldn't open every door you own.
  • Multi-factor authentication (MFA). Even a correct password becomes useless if there's a second factor the attacker doesn't have.
  • Check if your credentials have been exposed. Have I Been Pwned lets you search your email address against known breach databases for free.
  • Don't ignore login alerts. If your ESP or inbox provider flags an unfamiliar login, treat it seriously.

If you think your email or ESP account may already be compromised, changing the password is step one but it's not the only step. Revoke active sessions, rotate API keys, check your sending logs for anything unusual, and enable MFA before you do anything else. If things look bad, our SOS hotline is free and we'll help you figure out what actually happened.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a personal action plan

I just read about password spraying and credential stuffing and now I'm worried. My email address has probably been in at least one breach. Walk me through what I should check, what I should change, and whether just updating my password is actually enough to protect my accounts.

Edit the yellow boxes, then send to the AI of your choice.