---
title: "Credential Stuffing — AP Cybersecurity Definition & Guide"
description: "Credential stuffing is an online password attack that reuses stolen username-password pairs across sites. Learn the warning signs and how it shows up on the AP Cybersecurity exam."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/credential-stuffing"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 1"
---

# Credential Stuffing — AP Cybersecurity Definition & Guide

## Definition

Credential stuffing is an online password attack where an adversary takes username-password pairs stolen from one breach and uses automated tools to try them on other sites, betting that people reuse the same login everywhere.

## What It Is

Credential stuffing is a type of **[online password attack](/ap-cybersecurity/key-terms/online-password-attack "fv-autolink")**. Instead of guessing passwords from scratch, the attacker starts with real login pairs (usernames and passwords) that leaked from some earlier data breach. Then automated [software](/ap-cybersecurity/unit-4/protecting-devices/study-guide/n86HF5aR65a2DLQwNHDn "fv-autolink") fires those same pairs at a bunch of other websites and services.

Why does it work? Because people reuse passwords. If your email password leaked from one site, an attacker just plugs that same combo into your bank, your gaming account, your school portal, and so on. The attack lines up with [[AP Cybersecurity](/ap-cybersecurity "fv-autolink") 1.2.A], which covers using "stolen passwords" to log in, and you spot it through the same red flags as any online attack: lots of failed login attempts, logins at weird hours, and logins from unfamiliar devices (EK 1.2.A.2).

## Why It Matters

This term lives in **[Unit 1](/ap-cybersecurity/unit-1 "fv-autolink"): Introduction to Security**, specifically topic 1.2 Suspicious Website Logins. It supports [AP Cybersecurity 1.2.A] (identify signs of a password attack), [AP Cybersecurity 1.2.B] (how adversaries exploit [weak authentication](/ap-cybersecurity/key-terms/weak-authentication "fv-autolink")), and [AP Cybersecurity 1.2.C] (how to make authentication stronger). Credential stuffing is the cleanest example of why "unique" matters in the long, random, unique password rule. The defense against it, MFA, comes straight out of EK 1.2.C.3.

## Connections

### [Online password attack (Unit 1)](/ap-cybersecurity/key-terms/online-password-attack)

Credential stuffing IS a kind of online password attack. The attacker hits a live login page and the system can see the failed attempts, which is exactly the signal EK 1.2.A.2 tells you to watch for.

### [Dictionary attack (Unit 1)](/ap-cybersecurity/key-terms/dictionary-attack)

Both are automated guessing, but a [dictionary attack](/ap-cybersecurity/key-terms/dictionary-attack "fv-autolink") builds a list from personal info or common words (EK 1.2.B.2). Credential stuffing skips the guessing and reuses passwords that are already confirmed real from a breach.

### Multifactor authentication (MFA) (Unit 1)

MFA is the direct counter (EK 1.2.C.3). Even if an attacker has your correct stolen password, they still need a second factor like a [one-time code](/ap-cybersecurity/key-terms/one-time-password "fv-autolink"), so a leaked password alone gets them nowhere.

### [Authentication log (Unit 1)](/ap-cybersecurity/key-terms/authentication-log)

Stuffing leaves a trail. The log shows many failed logins in a short window and attempts from unknown devices, which is how a defender catches the attack in progress.

## On the AP Exam

Expect this on multiple-choice questions about identifying password attacks. A stem might describe an account accessed from "a smartphone they have never owned" and ask which warning sign that is, or describe an attacker reusing stolen credentials across services. Your job is to match the scenario to the right attack type and name the correct defense (MFA, plus long, random, unique passwords). No released FRQ has used this term verbatim, but the underlying skill, spotting suspicious login signs and recommending stronger authentication, is squarely in scope for Unit 1.

## credential stuffing vs dictionary attack

A dictionary attack guesses passwords by trying a list of likely candidates (common words, a target's pet name, birthdate). Credential stuffing doesn't guess at all. It reuses real username-password pairs that already leaked from another breach, betting the victim recycled the same login.

## Key Takeaways

- Credential stuffing is an online password attack that reuses stolen username-password pairs across many sites, exploiting the fact that people repeat passwords.
- It only works because of password reuse, which is why the 'unique' part of long, random, unique passwords (EK 1.2.C.1) is the core defense.
- The warning signs are the same as any online attack: many failed logins fast, logins at unusual times, and logins from unknown devices (EK 1.2.A.2).
- MFA stops credential stuffing cold because a correct stolen password still fails without the second factor (EK 1.2.C.3).
- Unlike a dictionary attack, credential stuffing doesn't guess passwords, it reuses ones already confirmed real from a breach.

## FAQs

### What is credential stuffing in AP Cybersecurity?

It's an online password attack where an [adversary](/ap-cybersecurity/key-terms/adversary "fv-autolink") takes username-password pairs stolen from one breach and uses automated tools to try them on other websites, counting on people to reuse the same login. It fits under topic 1.2 and learning objective [AP Cybersecurity 1.2.A].

### Is credential stuffing the same as a dictionary attack?

No. A dictionary attack guesses passwords from a list of likely words or personal details (EK 1.2.B.2). Credential stuffing doesn't guess, it reuses real passwords already stolen in a breach, so the only thing being tested is whether you reused that login somewhere else.

### Does MFA actually stop credential stuffing?

Yes. Even with your correct stolen password, the attacker still needs a second factor like a one-time code (EK 1.2.C.3), so a leaked password by itself isn't enough to get in.

### How do you detect credential stuffing?

Watch for the online-attack signs in EK 1.2.A.2: lots of failed login attempts in a short window, logins at unusual times, and logins from unknown devices. An authentication log is where you'd see this pattern.

### Why is credential stuffing on the AP exam?

It's the clearest real-world reason the CED stresses unique passwords and MFA. A question may describe a stolen-credential scenario and ask you to name the attack or pick the strongest defense, drawing on objectives [AP Cybersecurity 1.2.A] through [AP Cybersecurity 1.2.C].

## Related Study Guides

- [1.2 Suspicious Website Logins](/ap-cybersecurity/unit-1/suspicious-website-logins/study-guide/zppDvyHLHIUFzT3MNwAN)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/credential-stuffing#resource","name":"Credential Stuffing — AP Cybersecurity Definition & Guide","url":"https://fiveable.me/ap-cybersecurity/key-terms/credential-stuffing","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/credential-stuffing#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:30.364Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/credential-stuffing#term","name":"credential stuffing","description":"Credential stuffing is an online password attack where an adversary takes username-password pairs stolen from one breach and uses automated tools to try them on other sites, betting that people reuse the same login everywhere.","url":"https://fiveable.me/ap-cybersecurity/key-terms/credential-stuffing","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 1, Topic 1.2, LO 1.2.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 1, Topic 1.2, LO 1.2.B"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 1, Topic 1.2, LO 1.2.C"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is credential stuffing in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"It's an online password attack where an [adversary](/ap-cybersecurity/key-terms/adversary \"fv-autolink\") takes username-password pairs stolen from one breach and uses automated tools to try them on other websites, counting on people to reuse the same login. It fits under topic 1.2 and learning objective [AP Cybersecurity 1.2.A]."}},{"@type":"Question","name":"Is credential stuffing the same as a dictionary attack?","acceptedAnswer":{"@type":"Answer","text":"No. A dictionary attack guesses passwords from a list of likely words or personal details (EK 1.2.B.2). Credential stuffing doesn't guess, it reuses real passwords already stolen in a breach, so the only thing being tested is whether you reused that login somewhere else."}},{"@type":"Question","name":"Does MFA actually stop credential stuffing?","acceptedAnswer":{"@type":"Answer","text":"Yes. Even with your correct stolen password, the attacker still needs a second factor like a one-time code (EK 1.2.C.3), so a leaked password by itself isn't enough to get in."}},{"@type":"Question","name":"How do you detect credential stuffing?","acceptedAnswer":{"@type":"Answer","text":"Watch for the online-attack signs in EK 1.2.A.2: lots of failed login attempts in a short window, logins at unusual times, and logins from unknown devices. An authentication log is where you'd see this pattern."}},{"@type":"Question","name":"Why is credential stuffing on the AP exam?","acceptedAnswer":{"@type":"Answer","text":"It's the clearest real-world reason the CED stresses unique passwords and MFA. A question may describe a stolen-credential scenario and ask you to name the attack or pick the strongest defense, drawing on objectives [AP Cybersecurity 1.2.A] through [AP Cybersecurity 1.2.C]."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 1","item":"https://fiveable.me/ap-cybersecurity/unit-1"},{"@type":"ListItem","position":4,"name":"credential stuffing"}]}]}
```
