Investigation Walkthrough: Credential Stuffing After a Breach
Investigating a credential stuffing attack that compromised 1,219 accounts at a credit union, from alert to remediation
By Benjamin, Fraud Attacks · Updated
A credential-stuffing investigation traces a single attack from the velocity alert that first surfaces it through containment, scope assessment, money tracing, and the controls put in place afterwards. This article follows fraud analyst Nadia Osei through a 1,219-account compromise at a credit union, where the breached passwords came from an unrelated recipe site eight months earlier. The walkthrough shows why "login only" accounts still need remediation and why the most useful control after the attack was a 24-hour hold on transfers from accounts with recent setting changes.
3,847 Logins Per Minute
Nadia Osei's pager went off at 6:12 AM on a Thursday. She was the on-call fraud analyst at Vantage Financial, a mid-size credit union with 400,000 members. The automated alert was terse: "Login velocity anomaly. Current rate: 3,847/min. Normal baseline: 12/min."
She pulled up the dashboard from her phone while the coffee brewed. The graph looked like a cliff face. Normal login volume humming along at baseline, then a near-vertical spike starting at 5:58 AM. Thousands of login attempts per minute. Most failing. But some succeeding.
By 6:20 AM she was at her desk. The numbers were getting worse.
In the 22 minutes since the attack started, 50,744 login attempts had been made. 1,219 had succeeded. That meant 1,219 member accounts were potentially compromised.
Nadia checked the source data. The attempts came from a rotating pool of residential IP addresses (not a data center), used a mix of user agents (not a single bot signature), and targeted account numbers sequentially but with randomized timing. Someone had a credential list and a sophisticated automation toolkit.
She reached for her phone and called her manager. "We have a credential stuffing attack in progress. Over a thousand accounts already hit. I need to trigger the incident response plan."
This story is fictional, but the patterns are real.
Day 1: Containment
The First Two Hours
Nadia's first call was to the security operations center. They implemented an emergency rate limit: no more than three login attempts per IP address per minute. The attack volume dropped from thousands per minute to a trickle within fifteen minutes, but the attacker adapted, switching to a broader IP pool. The team escalated to a full IP block on the proxy network the attacker was using.
By 8:00 AM, the active attack was contained. But containment wasn't the same as remediation. 1,219 accounts had been accessed. The question now was: what had the attacker done inside those accounts?
Triaging the Compromised Accounts
Nadia's team pulled audit logs for every successfully accessed account. They categorized the 1,219 compromised accounts by what had happened after login:
| Category | Count | Description |
|---|---|---|
| Login only | 847 | Attacker logged in but took no further action |
| PII viewed | 203 | Attacker viewed account details (balance, SSN, address) |
| Settings changed | 89 | Email address, phone number, or mailing address modified |
| Transfers initiated | 62 | Internal or external transfers attempted |
| Transfers completed | 18 | Funds successfully moved to external accounts |
The 18 completed transfers totaled $94,200. The amounts ranged from $1,200 to $12,500 per account. All transfers went to external accounts at other institutions.
The 89 accounts with changed settings were concerning for a different reason. The attacker had changed the email address on these accounts, which would redirect password reset links, verification codes, and account alerts to addresses the attacker controlled. This was the setup for a second wave: come back later, reset the password using the new email, and drain the account at leisure.
Decision Point: How to Notify Members
Nadia's manager, Steve, called an emergency meeting with the legal team, the CISO, and the member services director.
The debate centered on notification scope. Legal wanted to notify only the 18 members who lost money. The CISO wanted to notify all 1,219. Nadia argued for all 1,219 and explained why.
"The 847 'login only' accounts aren't safe," she said. "The attacker validated those credentials. Even if they didn't act on them today, they know those username-password combinations work. They'll sell that list or come back later. Every one of those 847 members is at risk."
The team agreed to notify all 1,219 members, force password resets, and revert all setting changes made during the attack window.
Day 2-3: Investigation
Where Did the Credentials Come From?
Nadia pulled a sample of the compromised credentials and ran them against a breach database. The pattern was clear within minutes.
Over 90% of the compromised accounts used passwords that matched credentials exposed in a breach of a recipe-sharing website eight months earlier. The members had reused the same email and password combination across both sites.
The attacker hadn't breached Vantage Financial at all. They'd bought a credential dump from the recipe site breach, filtered it for email addresses matching Vantage's domain patterns, and automated login attempts against Vantage's online banking portal. The marketplaces that resell these combo lists, the proxies that route the attack traffic, and the cash-out routes that drain compromised accounts all sit inside the criminal infrastructure that supports this kind of fraud.
This is the core mechanic of credential stuffing: breached credentials from Site A are tested against Site B, Site C, and every other site where users might have reused passwords. The full pattern, including the post-login playbook attackers run, is covered in ATO 101.
How Did 1,219 Succeed?
Out of 50,744 attempts, 1,219 succeeded. Hit rates for credential stuffing are usually a fraction of a percent because most leaked credentials don't match an active account at the target site, so this rate stood out as unusually high. It told Nadia two things:
- The credential list was well-targeted. The attacker had filtered it specifically for Vantage customers, not just sprayed random credentials.
- Password reuse among Vantage members was widespread enough to matter.
Tracing the Money
The 18 completed transfers were sent to accounts at six different banks. Nadia worked with Vantage's BSA (Bank Secrecy Act) team to file SARs (Suspicious Activity Reports) on each transfer and contact the receiving banks.
Of the six receiving accounts:
- Three were money mule accounts (opened recently with stolen identities, quickly drained)
- Two were compromised accounts at other banks (the account holders were also fraud victims)
- One was a legitimate account where the holder was an unwitting mule recruited through a "work from home" scheme
The money trail:
Vantage member accounts (18)
↓ ACH transfers ($94,200 total)
Receiving accounts (6 banks)
↓ Withdrawn as cash, Zelle, or crypto purchases
Dispersed (largely unrecoverable)
Of the $94,200 stolen, Vantage recovered $31,400 through receiving bank freezes. The remaining $62,800 was gone.
The Automation Toolkit
The security team analyzed the attack traffic and identified the attacker's tooling:
Residential proxy network. Login attempts came from thousands of residential IP addresses, making IP-based blocking ineffective. The attacker was routing traffic through compromised home routers and mobile devices. This is one of the building blocks described in the attack methods article: the network layer is where commodity fraud tooling lives.
Browser fingerprint rotation. Each login attempt used a slightly different combination of user agent, screen resolution, and browser plugins. This defeated basic bot detection that relies on identifying identical fingerprints.
Throttled timing. Instead of blasting thousands of requests per second from a single source, the attacker distributed requests across IPs with randomized delays. The attack was designed to look like many individual users, not a single automated campaign.
Credential enrichment. The attacker didn't just have email/password pairs. They had pre-mapped which email addresses were associated with Vantage accounts, possibly by testing the "forgot password" flow (which revealed whether an email was registered) before launching the full attack.
Day 4-7: Remediation
Immediate Actions
Nadia's team implemented several changes in the first week:
Forced password resets for all 1,219 compromised accounts. Members were required to create new passwords that didn't match any known breached password (checked against a breach database at registration).
Reverted all unauthorized changes. The 89 accounts with modified settings were restored to their pre-attack state. The new email addresses the attacker had set were flagged in the fraud database.
Froze the 18 accounts with completed transfers. These accounts required in-person verification at a branch before being restored.
Implemented step-up authentication. Any login from a new device now required a one-time code sent to the member's phone number on file (not their email, since the attacker might control the email).
Systemic Improvements
| Control | Before Attack | After Attack |
|---|---|---|
| Login rate limiting | None | 5 attempts per account per hour; IP-level limits |
| Bot detection | Basic user-agent checking | Behavioral analysis (typing speed, mouse movement, JS execution) |
| Breached password checking | None | All new passwords checked against breach databases |
| New device authentication | Optional MFA | Required step-up for any unrecognized device |
| Account change alerts | Email only | Email + SMS for any email, phone, or address change |
| Sensitive action delays | None | 24-hour hold on external transfers from accounts with recent setting changes |
The 24-Hour Hold
The most impactful change was the 24-hour hold on external transfers from accounts with recent setting changes. This directly addressed the attacker's playbook: compromise account, change email, initiate transfer.
Under the new policy, if an account's email, phone number, or mailing address is changed, no external transfers are allowed for 24 hours. This gives the legitimate account holder time to notice the change (via SMS alert to the original phone number) and report it.
Where the Investigation Could Have Gone Wrong
The investigation framework Nadia used here (gather, assess, decide, document) is the same one followed in the first-investigation walkthrough, just applied to a higher-volume incident.
Mistake 1: Focusing Only on Financial Loss
If Nadia had only investigated the 18 accounts that lost money, 89 accounts with changed settings would have been time bombs. The attacker had already prepared them for a second-wave attack. The 847 "login only" accounts would have remained compromised, their validated credentials available for resale or future exploitation.
Mistake 2: Blaming the Members
It would have been easy to say "members shouldn't reuse passwords" and leave it there. Technically true. Practically useless. People reuse passwords. The credit union's job is to build controls that work despite human behavior, not controls that only work if humans are perfect.
Mistake 3: Treating It as a One-Time Event
Credential stuffing isn't a single attack. It's a continuous threat. The recipe site breach that supplied the credentials had happened eight months earlier. The credentials had been circulating on criminal markets ever since. Even after this attack was contained, the same credentials could be used against Vantage by a different attacker using a different proxy network.
Mistake 4: Over-Relying on IP Blocking
The initial response (blocking the attacker's IPs) worked temporarily but was easily circumvented. Residential proxy networks provide access to millions of IPs. Blocking one set just forces the attacker to rotate to another. Effective defense requires controls that work at the account level (login behavior, device recognition, step-up authentication), not just the network level.
Six Months Later
Nadia ran the numbers in a quarterly review. Since implementing the new controls:
- Credential stuffing attempts had continued (they always do) but successful account compromises dropped by over 90%
- The breached password check at registration had caught thousands of members trying to set passwords that were already in breach databases
- The 24-hour hold had prevented seven additional transfer attempts from freshly compromised accounts
- Zero member funds had been lost to credential stuffing since the remediation
The most telling metric: member complaints about the new step-up authentication had dropped to near zero after the first month. Members adapted to the minor friction quickly. The ones who'd been notified about the breach were the least likely to complain. They'd seen what happened when security was too loose.
Key Takeaways
- Credential stuffing exploits password reuse, not your systems. The attacker never breached Vantage. They used credentials stolen from an unrelated site. Your security depends on the weakest site your customers also use.
- Investigate beyond the immediate financial loss. Accounts that were accessed but not drained are still compromised. Setting changes are preparation for future attacks. "Login only" accounts have validated credentials that will be sold.
- Build controls that assume human behavior won't change. Password reuse will continue. Breached password checking, step-up authentication, and behavioral analysis protect members despite their habits.
- Speed of detection determines the blast radius. Nadia caught the attack 14 minutes after it started. If it had run for hours undetected, thousands more accounts would have been compromised and the financial losses would have been far greater.
- Layer your defenses. No single control stops credential stuffing. Rate limiting, bot detection, breached password checking, device recognition, and transfer holds work together to make the attack progressively harder.
What's next: Review ATO Fundamentals for the rest of the ATO attack catalog and detection signals.
Key Terms
| Term | Definition |
|---|---|
| Credential stuffing | An automated attack that tests stolen username/password pairs from one breach against other websites, exploiting password reuse |
| Password reuse | Using the same password across multiple sites, which allows a breach at one site to compromise accounts at every other site sharing those credentials |
| Residential proxy | A network of compromised home routers and devices that routes attacker traffic through real residential IP addresses, making it harder to distinguish from legitimate users |
| Rate limiting | Restricting the number of login attempts allowed per account or IP address within a time window to slow automated attacks |
| Step-up authentication | Requiring additional verification (such as a one-time code) when a login comes from an unrecognized device or location |
| Breached password checking | Comparing new or existing passwords against databases of known compromised credentials to prevent reuse of stolen passwords |
| Money mule | A person who receives stolen funds into their account and forwards them elsewhere, often recruited through fake job offers |
Continue learning
- Account TakeoverATO FundamentalsEssential foundation every fraud professional needs to know about account takeover attacks
- Account TakeoverAccount Security FundamentalsHow authentication and authorization protect accounts, and how attackers bypass each layer
- Account TakeoverSSO and Token-Based AttacksHow federated authentication works, and how attackers exploit SSO, OAuth, and token-based systems
- More from Fraud BasicsFraud 101: What Is Fraud?Absolute basics for someone who has never looked at fraud: what is fraud, how is it different from other crimes, and why does it matter
- More from Money Movement & Transaction FraudPayment Systems 101: How Money Really MovesEssential foundation for understanding how ACH, wire transfers, card payments, and digital payments actually work - and why criminals target them
- More from Social EngineeringSocial Engineering FundamentalsThe psychology of manipulation and how attackers exploit human trust