Excerpts from the Special Report, “The Economics of Credential Stuffing Attacks and Account Takeover Fraud” by myNetWatchman.
Credential stuffing has endured because it’s ruthlessly economical.
Attackers take username/password pairs harvested from one breach — or several combined — and automate login attempts across thousands of sites. Even when only a tiny fraction succeed (think 0.00018% to 0.025%), the sheer scale turns pennies into profits and headaches into real losses for businesses. The problem persists because consumers, employees, and vendors reuse passwords, and criminals can cheaply rent botnets, proxies, and tools that mimic human behavior.
The Math Favors the Adversary
A large-scale campaign can cost around $300 for the total package: credential lists, residential proxies, 2FA-bypass kits, and automation software. Break-even can happen at ~0.006% success if each compromised account yields just $50 — and many accounts are worth far more.
At volume, the numbers get staggering: one streaming service saw 773 million credential tests in a year, producing nearly 2 million successful logins at a 0.0025% hit rate. Even a “low” success rate becomes material at internet scale.
For Organizations, the Economics Cut the Other Way
The report cites $13B lost to ATO fraud in 2023 and an average of $4.81M per credential-stuffing attack. Operationally, bots can clog login flows — ~16.5% of login-page traffic is linked to stuffing — driving latency, downtime, and support load. Compliance risk compounds the pain: PCI DSS, GDPR, and CCPA enforcement can stack on fines and legal exposure.
The threat is evolving, too. AI-powered bots and headless browser automation help attackers solve CAPTCHAs, navigate complex flows, and adapt to defenses. Static controls won’t keep up.
Shifting the Economics Back in Your Favor
What works is a multi-layered defense: credential screening to spot exposed or actively abused credentials, MFA, aggressive rate limiting, device fingerprinting, behavioral biometrics, cooling-off periods for high-risk actions, and zero-trust checks for sensitive steps.
Real-world outcomes are compelling. One international ISP drove ATOs down from 3,000/day to just 4/day. A multi-channel retailer using credential screening slashed ATO successes from 532,000 to under 49,000 — a 91% reduction.
If losses from credential stuffing feel inevitable, they don’t have to be. You can upend the attacker ROI with layered controls and proactive credential screening at account creation, reset, and login.
The mechanics of how email became the digital economy’s most consequential vulnerability, the case studies that should have changed everything, and what a continuous intelligence approach actually looks like — all documented in “The Lying Gatekeeper,” a special report from myNetWatchman.
Read the Full Report →