{"id":3616,"date":"2026-04-05T17:24:57","date_gmt":"2026-04-05T17:24:57","guid":{"rendered":"https:\/\/www.captcha.eu\/?p=3616"},"modified":"2026-04-05T17:31:18","modified_gmt":"2026-04-05T17:31:18","slug":"come-prevenire-gli-attacchi-di-credential-stuffing","status":"publish","type":"post","link":"https:\/\/www.captcha.eu\/it\/come-prevenire-gli-attacchi-di-credential-stuffing\/","title":{"rendered":"Come prevenire gli attacchi di credential stuffing sul vostro sito web"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large is-resized\"><img data-dominant-color=\"d3e0f0\" data-has-transparency=\"false\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" src=\"https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1-1024x576.png\" alt=\"\" class=\"wp-image-3617 not-transparent\" style=\"--dominant-color: #d3e0f0; width:1200px;height:auto\" srcset=\"https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1-1024x576.png 1024w, https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1-300x169.png 300w, https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1-768x432.png 768w, https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1-1536x864.png 1536w, https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1-18x10.png 18w, https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1.png 1920w\" \/><figcaption class=\"wp-element-caption\">captcha.eu<\/figcaption><\/figure>\n\n\n\n<p>Credential stuffing attacks use real passwords stolen from prior breaches, not guesswork. That makes them faster, harder to detect, and more damaging than brute force. This guide covers the six defences that stop them, what to do if an attack is already running and which endpoints to protect first.<\/p>\n\n\n\n<p class=\"wp-block-yoast-seo-estimated-reading-time yoast-reading-time__wrapper\"><span class=\"yoast-reading-time__icon\"><svg aria-hidden=\"true\" focusable=\"false\" data-icon=\"clock\" width=\"20\" height=\"20\" fill=\"none\" stroke=\"currentColor\" style=\"display:inline-block;vertical-align:-0.1em\" role=\"img\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 24 24\"><path stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"2\" d=\"M12 8v4l3 3m6-3a9 9 0 11-18 0 9 9 0 0118 0z\"><\/path><\/svg><\/span><span class=\"yoast-reading-time__spacer\" style=\"display:inline-block;width:1em\"><\/span><span class=\"yoast-reading-time__descriptive-text\">Estimated reading time: <\/span><span class=\"yoast-reading-time__reading-time\">16<\/span><span class=\"yoast-reading-time__time-unit\"> minutes<\/span><\/p>\n\n\n\n<div class=\"wp-block-buttons is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button is-style-fill\"><a class=\"wp-block-button__link has-input-field-color has-primary-background-color has-text-color has-background has-link-color has-border-color has-border-border-color wp-element-button\" href=\"https:\/\/www.captcha.eu\/login\" style=\"border-width:1px\">Try CAPTCHA.eu free &#8211; no credit card<\/a><\/div>\n\n\n\n<div class=\"wp-block-button is-style-fill\"><a class=\"wp-block-button__link has-sky-blue-color has-background-background-color has-text-color has-background has-link-color has-border-color has-border-border-color wp-element-button\" href=\"https:\/\/docs.captcha.eu\/\" style=\"border-width:1px\">View all integrations<\/a><\/div>\n<\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading has-text-color has-link-color has-medium-font-size wp-elements-7689e4fadbe20407810c2578730084d5\" id=\"h-at-a-glance\" style=\"color:#2b7ca4\">At a Glance<\/h2>\n\n\n\n<div class=\"wp-block-premium-container premium-container-b4b182c30ff3  alignfull premium-is-root-container\"><div class=\"premium-container-inner-blocks-wrap\">\n<div class=\"wp-block-essential-blocks-infobox  root-eb-infobox-6648h\"><div class=\"eb-parent-wrapper eb-parent-eb-infobox-6648h \"><div class=\"eb-infobox-6648h eb-infobox-wrapper\"><div class=\"infobox-wrapper-inner\"><div class=\"contents-wrapper\"><h3 class=\"title\"><strong><strong>What makes it different<\/strong><\/strong><\/h3><p class=\"description\">Attackers use real, working passwords from prior breaches, not random guesses. Login attempts look legitimate on the surface<\/p><\/div><\/div><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-essential-blocks-infobox  root-eb-infobox-vk5ml\"><div class=\"eb-parent-wrapper eb-parent-eb-infobox-vk5ml \"><div class=\"eb-infobox-vk5ml eb-infobox-wrapper\"><div class=\"infobox-wrapper-inner\"><div class=\"contents-wrapper\"><h3 class=\"title\"><strong><strong>Why it succeeds<\/strong><\/strong><\/h3><p class=\"description\">Around 85% of users reuse passwords across multiple services. Even a 0.1% success rate on one billion credentials yields one million compromised accounts<\/p><\/div><\/div><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-essential-blocks-infobox  root-eb-infobox-u178n\"><div class=\"eb-parent-wrapper eb-parent-eb-infobox-u178n \"><div class=\"eb-infobox-u178n eb-infobox-wrapper\"><div class=\"infobox-wrapper-inner\"><div class=\"contents-wrapper\"><h3 class=\"title\"><strong><strong><strong>Strongest single defence<\/strong><\/strong><\/strong><\/h3><p class=\"description\">MFA. It stops account takeover even when the attacker has the correct password. Microsoft data shows it blocks over 99% of automated account compromise attacks<\/p><\/div><\/div><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-essential-blocks-infobox  root-eb-infobox-gu5or\"><div class=\"eb-parent-wrapper eb-parent-eb-infobox-gu5or \"><div class=\"eb-infobox-gu5or eb-infobox-wrapper\"><div class=\"infobox-wrapper-inner\"><div class=\"contents-wrapper\"><h3 class=\"title\"><strong><strong>Why CAPTCHA fits here<\/strong><\/strong><\/h3><p class=\"description\">Proof-of-work CAPTCHA stops bots before they reach your login logic and raises the cost of every attempt regardless of whether the credentials are valid<\/p><\/div><\/div><\/div><\/div><\/div>\n<\/div><\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n<div class=\"root-eb-toc-mvnk2 wp-block-essential-blocks-table-of-contents\"><div class=\"eb-parent-wrapper eb-parent-eb-toc-mvnk2 \"><div class=\"eb-toc-container eb-toc-mvnk2  eb-toc-is-not-sticky eb-toc-collapsible eb-toc-initially-not-collapsed eb-toc-scrollToTop style-1 list-style-none\" data-scroll-top=\"false\" data-scroll-top-icon=\"fas fa-angle-up\" data-collapsible=\"true\" data-sticky-hide-mobile=\"false\" data-sticky=\"false\" data-scroll-target=\"scroll_to_toc\" data-copy-link=\"false\" data-editor-type=\"\" data-hide-desktop=\"false\" data-hide-tab=\"false\" data-hide-mobile=\"false\" data-itemCollapsed=\"false\" data-highlight-scroll=\"false\"><div class=\"eb-toc-header\"><h2 class=\"eb-toc-title\">What this guide covers<\/h2><\/div><div class=\"eb-toc-wrapper \" data-headers=\"[{&quot;level&quot;:2,&quot;content&quot;:&quot;At a Glance&quot;,&quot;text&quot;:&quot;At a Glance&quot;,&quot;link&quot;:&quot;at-a-glance&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;How credential stuffing works&quot;,&quot;text&quot;:&quot;How credential stuffing works&quot;,&quot;link&quot;:&quot;how-credential-stuffing-works&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;Credential stuffing vs. brute force: what is the difference?&quot;,&quot;text&quot;:&quot;Credential stuffing vs. brute force: what is the difference?&quot;,&quot;link&quot;:&quot;credential-stuffing-vs-brute-force-what-is-the-difference&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;Why credential stuffing is so hard to detect&quot;,&quot;text&quot;:&quot;Why credential stuffing is so hard to detect&quot;,&quot;link&quot;:&quot;why-credential-stuffing-is-so-hard-to-detect&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;A real-world example: 23andMe&quot;,&quot;text&quot;:&quot;A real-world example: 23andMe&quot;,&quot;link&quot;:&quot;a-real-world-example-23andme&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;Six defences that work&quot;,&quot;text&quot;:&quot;Six defences that work&quot;,&quot;link&quot;:&quot;six-defences-that-work&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;If an attack is already running: immediate steps&quot;,&quot;text&quot;:&quot;If an attack is already running: immediate steps&quot;,&quot;link&quot;:&quot;if-an-attack-is-already-running-immediate-steps&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;The EU dimension: why credential stuffing is a GDPR issue&quot;,&quot;text&quot;:&quot;The EU dimension: why credential stuffing is a GDPR issue&quot;,&quot;link&quot;:&quot;the-eu-dimension-why-credential-stuffing-is-a-gdpr-issue&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;Frequently Asked Questions&quot;,&quot;text&quot;:&quot;Frequently Asked Questions&quot;,&quot;link&quot;:&quot;frequently-asked-questions&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;Related reading&quot;,&quot;text&quot;:&quot;Related reading&quot;,&quot;link&quot;:&quot;related-reading&quot;}]\" data-visible=\"[true,true,false,false,false,false]\" data-delete-headers=\"[{&quot;label&quot;:&quot;At a Glance&quot;,&quot;value&quot;:&quot;at-a-glance&quot;,&quot;isDelete&quot;:true},{&quot;label&quot;:&quot;How credential stuffing works&quot;,&quot;value&quot;:&quot;how-credential-stuffing-works&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;Credential stuffing vs. brute force: what is the difference?&quot;,&quot;value&quot;:&quot;credential-stuffing-vs-brute-force-what-is-the-difference&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;Why credential stuffing is so hard to detect&quot;,&quot;value&quot;:&quot;why-credential-stuffing-is-so-hard-to-detect&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;A real-world example: 23andMe&quot;,&quot;value&quot;:&quot;a-real-world-example-23andme&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;Six defences that work&quot;,&quot;value&quot;:&quot;six-defences-that-work&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;If an attack is already running: immediate steps&quot;,&quot;value&quot;:&quot;if-an-attack-is-already-running-immediate-steps&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;The EU dimension: why credential stuffing is a GDPR issue&quot;,&quot;value&quot;:&quot;the-eu-dimension-why-credential-stuffing-is-a-gdpr-issue&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;Frequently Asked Questions&quot;,&quot;value&quot;:&quot;frequently-asked-questions&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;Related reading&quot;,&quot;value&quot;:&quot;related-reading&quot;,&quot;isDelete&quot;:true}]\" data-smooth=\"true\" data-top-offset=\"\"><div class=\"eb-toc__list-wrap\"><ul class='eb-toc__list'><li><a href=\"#how-credential-stuffing-works\">How credential stuffing works<\/a><li><a href=\"#credential-stuffing-vs-brute-force-what-is-the-difference\">Credential stuffing vs. brute force: what is the difference?<\/a><li><a href=\"#why-credential-stuffing-is-so-hard-to-detect\">Why credential stuffing is so hard to detect<\/a><li><a href=\"#a-real-world-example-23andme\">A real-world example: 23andMe<\/a><li><a href=\"#six-defences-that-work\">Six defences that work<\/a><li><a href=\"#if-an-attack-is-already-running-immediate-steps\">If an attack is already running: immediate steps<\/a><li><a href=\"#the-eu-dimension-why-credential-stuffing-is-a-gdpr-issue\">The EU dimension: why credential stuffing is a GDPR issue<\/a><li><a href=\"#frequently-asked-questions\">Frequently Asked Questions<\/a><\/ul><\/div><\/div><\/div><\/div><\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading has-text-color has-link-color has-large-font-size wp-elements-4eacd90a53fbd80f76a8cecb9ef2a5aa\" id=\"h-how-credential-stuffing-works\" style=\"color:#2b7ca4\">How credential stuffing works<\/h2>\n\n\n\n<p>Every major data breach produces a side effect: a list of working usernames and passwords ends up on the dark web. Attackers buy these lists cheaply, sometimes for just a few dollars per million records, and then test them automatically against other services. The logic is simple: if someone used the same email and password for a breached retail site and their banking account, the attacker now has access to both.<\/p>\n\n\n\n<p>A typical credential stuffing campaign runs like this:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Acquire credentials.&nbsp;Attackers buy or download breach databases from dark web marketplaces. Lists containing billions of username-password pairs are widely available and cheap.<\/li>\n\n\n\n<li>Prepare the list.&nbsp;Tools enrich the raw data, deduplicate it, and format it for automated testing across multiple target sites.<\/li>\n\n\n\n<li>Launch distributed login attempts.&nbsp;Bots submit login requests across thousands of IP addresses simultaneously, using real browser signatures to blend in with normal traffic. Each IP sends only a handful of requests, staying under rate limiting thresholds.<\/li>\n\n\n\n<li>Collect successes silently.&nbsp;When a login succeeds, the bot records it. The attacker then either sells the working credentials, takes over the account, drains stored value, or uses it as a foothold for further attacks.<\/li>\n<\/ol>\n\n\n\n<p>The key detail is that the attacker never needs to guess. They are replaying passwords that already worked somewhere else. That changes everything about how the attack looks and how you detect it.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading has-text-color has-link-color has-large-font-size wp-elements-e27f6db1b0bd40238da0ded0e2042ba3\" id=\"h-credential-stuffing-vs-brute-force-what-is-the-difference\" style=\"color:#2b7ca4\">Credential stuffing vs. brute force: what is the difference?<\/h2>\n\n\n\n<p>Both attacks target login forms, and both use automation. Beyond that, they are very different problems that require different defences.<\/p>\n\n\n\n<div class=\"wp-block-essential-blocks-infobox  root-eb-infobox-1ofse\"><div class=\"eb-parent-wrapper eb-parent-eb-infobox-1ofse \"><div class=\"eb-infobox-1ofse eb-infobox-wrapper\"><div class=\"infobox-wrapper-inner\"><div class=\"contents-wrapper\"><h3 class=\"title\">The simplest way to understand the difference<\/h3><p class=\"description\">Think of brute force as a locksmith trying every possible key combination on your lock. It takes time, it makes noise, and it is obvious when it is happening. Credential stuffing is someone who found your key in a lost and found box and is quietly trying it on your door. The key looks real because it is. The only question is whether you changed the lock after the original breach.<\/p><\/div><\/div><\/div><\/div><\/div>\n\n\n\n<figure class=\"wp-block-riovizual-tablebuilder is-style-regular rv_tb-ffa59462-7a03-445d-a465-451c1bda32d7 is-scroll-on-mobile\" rv-tb-responsive-breakpoint=\"768px\"><table class=\"\"><thead><tr><th class=\"rv_tb-cell rv_tb-row-0-cell-0 rv_tb-rs-row-0-cell-0 rv_tb-cs-row-0-cell-0\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\">ASPECT<\/div><\/div><\/div><\/th><th class=\"rv_tb-cell rv_tb-row-0-cell-1 rv_tb-rs-row-0-cell-1 rv_tb-cs-row-0-cell-1\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\">CREDENTIAL STUFFING<\/div><\/div><\/div><\/th><th class=\"rv_tb-cell rv_tb-row-0-cell-2 rv_tb-rs-row-0-cell-2 rv_tb-cs-row-0-cell-2\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\">BRUTE FORCE<\/div><\/div><\/div><\/th><\/tr><\/thead><tbody><tr><td class=\"rv_tb-cell rv_tb-row-1-cell-0 rv_tb-rs-row-1-cell-0 rv_tb-cs-row-1-cell-0\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\"><strong>Password source<\/strong><\/div><\/div><\/div><\/td><td class=\"rv_tb-cell rv_tb-row-1-cell-1 rv_tb-rs-row-1-cell-1 rv_tb-cs-row-1-cell-1\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\">Real passwords stolen from prior breaches<\/div><\/div><\/div><\/td><td class=\"rv_tb-cell rv_tb-row-1-cell-2 rv_tb-rs-row-1-cell-2 rv_tb-cs-row-1-cell-2\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\">Generated guesses: random combinations, dictionaries<\/div><\/div><\/div><\/td><\/tr><tr><td class=\"rv_tb-cell rv_tb-row-2-cell-0 rv_tb-rs-row-2-cell-0 rv_tb-cs-row-2-cell-0\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\"><strong>Success rate<\/strong><\/div><\/div><\/div><\/td><td class=\"rv_tb-cell rv_tb-row-2-cell-1 rv_tb-rs-row-2-cell-1 rv_tb-cs-row-2-cell-1\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\">Low per attempt (~0.1%), but huge at scale<\/div><\/div><\/div><\/td><td class=\"rv_tb-cell rv_tb-row-2-cell-2 rv_tb-rs-row-2-cell-2 rv_tb-cs-row-2-cell-2\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\">Very low; depends heavily on password strength<\/div><\/div><\/div><\/td><\/tr><tr><td class=\"rv_tb-cell rv_tb-row-3-cell-0 rv_tb-rs-row-3-cell-0 rv_tb-cs-row-3-cell-0\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\"><strong>Speed<\/strong><\/div><\/div><\/div><\/td><td class=\"rv_tb-cell rv_tb-row-3-cell-1 rv_tb-rs-row-3-cell-1 rv_tb-cs-row-3-cell-1\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\">Very fast; distributed across thousands of IPs<\/div><\/div><\/div><\/td><td class=\"rv_tb-cell rv_tb-row-3-cell-2 rv_tb-rs-row-3-cell-2 rv_tb-cs-row-3-cell-2\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\">Slower; triggers lockouts and rate limits quickly<\/div><\/div><\/div><\/td><\/tr><tr><td class=\"rv_tb-cell rv_tb-row-4-cell-0 rv_tb-rs-row-4-cell-0 rv_tb-cs-row-4-cell-0\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\"><strong>Detection difficulty<\/strong><\/div><\/div><\/div><\/td><td class=\"rv_tb-cell rv_tb-row-4-cell-1 rv_tb-rs-row-4-cell-1 rv_tb-cs-row-4-cell-1\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\">Hard: requests look like normal user logins<\/div><\/div><\/div><\/td><td class=\"rv_tb-cell rv_tb-row-4-cell-2 rv_tb-rs-row-4-cell-2 rv_tb-cs-row-4-cell-2\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\">Easier: many failed attempts on one account stand out<\/div><\/div><\/div><\/td><\/tr><tr><td class=\"rv_tb-cell rv_tb-row-5-cell-0 rv_tb-rs-row-5-cell-0 rv_tb-cs-row-5-cell-0\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\"><strong>Password policy helps?<\/strong><\/div><\/div><\/div><\/td><td class=\"rv_tb-cell rv_tb-row-5-cell-1 rv_tb-rs-row-5-cell-1 rv_tb-cs-row-5-cell-1\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\">No: the attacker already has a working password<\/div><\/div><\/div><\/td><td class=\"rv_tb-cell rv_tb-row-5-cell-2 rv_tb-rs-row-5-cell-2 rv_tb-cs-row-5-cell-2\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\">Yes: longer, complex passwords slow the attack<\/div><\/div><\/div><\/td><\/tr><tr><td class=\"rv_tb-cell rv_tb-row-6-cell-0 rv_tb-rs-row-6-cell-0 rv_tb-cs-row-6-cell-0\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\"><strong>Primary defence<\/strong><\/div><\/div><\/div><\/td><td class=\"rv_tb-cell rv_tb-row-6-cell-1 rv_tb-rs-row-6-cell-1 rv_tb-cs-row-6-cell-1\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\">MFA, CAPTCHA, breached-password screening<\/div><\/div><\/div><\/td><td class=\"rv_tb-cell rv_tb-row-6-cell-2 rv_tb-rs-row-6-cell-2 rv_tb-cs-row-6-cell-2\"><div class=\"rv_tb-element\"><div class=\"rv_tb-text-wrap rv_justify cell-element-0\"><div class=\"rv_tb-text\">Account lockout, rate limiting, CAPTCHA, MFA<\/div><\/div><\/div><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The most important row is the second-to-last one. Strong password policies protect well against brute force because they make guessing harder. Against credential stuffing, they provide almost no protection, because the attacker is not guessing. They have your password already. This is why the two attacks need different thinking, even though they share some common defences.<\/p>\n\n\n\n<p>For a deeper look at brute force specifically, see our guide on&nbsp;<a href=\"https:\/\/www.captcha.eu\/how-to-prevent-brute-force-attacks-on-your-website\/\">how to prevent brute force attacks<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading has-text-color has-link-color has-large-font-size wp-elements-61c716b463b398429806e12a2dba7785\" id=\"h-why-credential-stuffing-is-so-hard-to-detect\" style=\"color:#2b7ca4\">Why credential stuffing is so hard to detect<\/h2>\n\n\n\n<p>This is the core challenge. When a brute force attack runs, it leaves obvious traces: dozens or hundreds of failed login attempts against the same account from the same IP address. Your logs light up. Monitoring tools fire alerts.<\/p>\n\n\n\n<p>Credential stuffing leaves almost none of those traces. The attacker distributes requests across thousands of different IP addresses. Each IP sends just one or two requests. The credentials are correct, so many attempts succeed immediately. There are no repeated failures on the same account. The traffic looks exactly like normal users logging in from different locations.<\/p>\n\n\n\n<p>The result is that many credential stuffing attacks run undetected for months. In the 23andMe case, attackers spent five months inside the platform before the company discovered what had happened. They found out only because stolen data appeared for sale on a hacker forum, not because internal monitoring detected anything.<\/p>\n\n\n\n<div class=\"wp-block-essential-blocks-infobox  root-eb-infobox-edjna\"><div class=\"eb-parent-wrapper eb-parent-eb-infobox-edjna \"><div class=\"eb-infobox-edjna eb-infobox-wrapper\"><div class=\"infobox-wrapper-inner\"><div class=\"contents-wrapper\"><h3 class=\"title\">The hidden cost of successful attacks<\/h3><p class=\"description\">According to IBM&#8217;s Cost of a Data Breach Report 2025, breaches cost an average of $4.44 million globally and take 241 days to identify and contain on average. The financial damage includes fraud remediation, customer notification, regulatory fines, and reputational harm, on top of the direct losses from compromised accounts.<\/p><\/div><\/div><\/div><\/div><\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading has-text-color has-link-color has-large-font-size wp-elements-57fcdd41466a24b8f551ccae48cccd22\" id=\"h-a-real-world-example-23andme\" style=\"color:#2b7ca4\">A real-world example: 23andMe<\/h2>\n\n\n\n<p>In October 2023, the genetic testing company 23andMe disclosed a credential stuffing attack that ultimately exposed the personal data of approximately 6.9 million users. The scale of the breach makes it one of the clearest case studies in how credential stuffing can escalate far beyond the initial compromise.<\/p>\n\n\n\n<div class=\"wp-block-essential-blocks-infobox  root-eb-infobox-zmwfy\"><div class=\"eb-parent-wrapper eb-parent-eb-infobox-zmwfy \"><div class=\"eb-infobox-zmwfy eb-infobox-wrapper\"><div class=\"infobox-wrapper-inner\"><div class=\"contents-wrapper\"><h3 class=\"title\">Case study: 23andMe (2023)<\/h3><p class=\"description\">Attackers obtained credential lists from prior, unrelated data breaches and used them to access 23andMe accounts whose owners had reused passwords. Approximately 14,000 accounts were directly compromised through this method. However, 23andMe&#8217;s &#8220;DNA Relatives&#8221; feature, which lets users share genetic ancestry data with connected profiles, amplified the breach dramatically. By accessing 14,000 accounts, the attacker could scrape connected data from an additional 5.5 million profiles, and Family Tree data from 1.4 million more. None of those additional users had their accounts directly compromised. Their data was exposed simply because a connected user had reused a password.<br><br>The five-month detection gap (the attack ran from April to September 2023, discovered only when stolen data appeared on BreachForums) highlights the monitoring failure that allows credential stuffing to run silently. 23andMe subsequently mandated password resets and introduced two-step verification. The company faced a $30 million class action settlement and filed for Chapter 11 bankruptcy in March 2025. Regulators in the UK and Canada found that adequate monitoring controls were absent.<\/p><\/div><\/div><\/div><\/div><\/div>\n\n\n\n<p>The 23andMe breach illustrates three lessons that apply to almost any website with user accounts. First, your users&#8217; passwords from other sites put your platform at risk, even if you have never been breached. Second, platform features that connect accounts can multiply the impact of a single compromised login. Third, if you do not monitor for the right signals, you will not know an attack is running until someone else tells you.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading has-text-color has-link-color has-large-font-size wp-elements-6a93253f62f456b5c214e9a98c04e94b\" id=\"h-six-defences-that-work\" style=\"color:#2b7ca4\">Six defences that work<\/h2>\n\n\n\n<div class=\"wp-block-essential-blocks-feature-list  root-eb-feature-list-kfh94\"><div class=\"eb-parent-wrapper eb-parent-eb-feature-list-kfh94 \"><div class=\"eb-feature-list-kfh94 eb-feature-list-wrapper eb-icon-position-left eb-tablet-icon-position-left eb-mobile-icon-position-left eb-feature-list-left\"><ul class=\"eb-feature-list-items circle stacked\"><li class=\"eb-feature-list-item\" data-new-tab=\"false\" data-icon-type=\"icon\" data-icon=\"fas fa-1\" data-icon-color=\"\" data-link=\"\"><div class=\"eb-feature-list-icon-box\"><div class=\"eb-feature-list-icon-inner\"><span class=\"eb-feature-list-icon\" style=\"color:\"><i icon=\"fas fa-1\" class=\"fas fa-1 \"><\/i><\/span><\/div><\/div><div class=\"eb-feature-list-content-box\"><h3 class=\"eb-feature-list-title\">Multi-factor authentication<\/h3><p class=\"eb-feature-list-content\">MFA is the single most effective defence against credential stuffing. The reason is structural: even if an attacker has the correct username and password, MFA requires a second verification step (a time-based code, a push notification, or a hardware key) that the attacker does not have. Microsoft&#8217;s analysis of account compromise incidents found that MFA would have stopped over 99% of them. That figure applies directly to credential stuffing, because the entire attack model depends on a stolen password being sufficient to log in.\n\nFor website operators, the priority is straightforward: make MFA mandatory for administrator and high-privilege accounts, and offer it to all users. Where you cannot enforce MFA for every user, deploy it for high-risk actions: account details changes, payment flows, and password resets. FIDO2 passkeys and authenticator apps are now widely supported and reduce the friction that historically made MFA unpopular with users.<\/p><\/div><\/li><\/ul><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-essential-blocks-infobox  root-eb-infobox-nhyhw\"><div class=\"eb-parent-wrapper eb-parent-eb-infobox-nhyhw \"><div class=\"eb-infobox-nhyhw eb-infobox-wrapper\"><div class=\"infobox-wrapper-inner\"><div class=\"contents-wrapper\"><h3 class=\"title\"><strong>MFA alone does not stop the attack traffic<\/strong><\/h3><p class=\"description\">MFA prevents account takeover, but it does not stop bots from submitting login attempts. Thousands of MFA-blocked attempts still hit your server, consume resources, and generate noise in your logs. That is why MFA works best combined with the layers below.<\/p><\/div><\/div><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-essential-blocks-feature-list  root-eb-feature-list-sn3mp\"><div class=\"eb-parent-wrapper eb-parent-eb-feature-list-sn3mp \"><div class=\"eb-feature-list-sn3mp eb-feature-list-wrapper eb-icon-position-left eb-tablet-icon-position-left eb-mobile-icon-position-left eb-feature-list-left\"><ul class=\"eb-feature-list-items circle stacked\"><li class=\"eb-feature-list-item\" data-new-tab=\"false\" data-icon-type=\"icon\" data-icon=\"fas fa-2\" data-icon-color=\"\" data-link=\"\"><div class=\"eb-feature-list-icon-box\"><div class=\"eb-feature-list-icon-inner\"><span class=\"eb-feature-list-icon\" style=\"color:\"><i icon=\"fas fa-2\" class=\"fas fa-2 \"><\/i><\/span><\/div><\/div><div class=\"eb-feature-list-content-box\"><h3 class=\"eb-feature-list-title\">Proof-of-work CAPTCHA on login and authentication flows<\/h3><p class=\"eb-feature-list-content\">CAPTCHA acts at a different point in the attack chain than MFA. Rather than blocking account takeover after a successful login, CAPTCHA raises the cost of every login attempt before it reaches your authentication logic. This matters enormously for credential stuffing, where attackers rely on submitting millions of requests cheaply and automatically.\n\nThe type of CAPTCHA matters here. AI-powered solving tools and human-solving services.&#8221; Traditional visual CAPTCHA (image grids, &#8220;I am not a robot&#8221; checkboxes) is increasingly bypassed by AI-powered solving tools and human-solving services. Against a resourced attacker running a large credential stuffing campaign, a visual CAPTCHA provides less protection than it appears to.\n\nProof-of-work CAPTCHA is structurally different. Instead of presenting a visual puzzle, it requires the browser to complete a small cryptographic computation before the login request can proceed. For a real user, this happens invisibly in the background. For a bot submitting thousands of login attempts per minute, every single attempt now requires computational work, raising the cost regardless of the attacker&#8217;s image-solving capability. The OWASP Credential Stuffing Prevention Cheat Sheet identifies CAPTCHA as one of the key controls for slowing credential stuffing attacks, specifically noting its role in raising the cost and time of automated login attempts.<\/p><\/div><\/li><\/ul><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-group has-vivid-cyan-blue-background-color has-background is-content-justification-center is-layout-constrained wp-block-group-is-layout-constrained\" style=\"padding-top:2rem;padding-bottom:2rem\">\n<h3 class=\"wp-block-heading has-text-align-center has-background-color has-text-color has-large-font-size\" id=\"h-captcha-eu-stops-bots-before-they-reach-your-login-logic\">CAPTCHA.eu stops bots before they reach your login logic<\/h3>\n\n\n\n<p class=\"has-text-align-center has-background-color has-text-color\">Invisible proof-of-work verification on every login attempt. No image puzzles. No cookies. All data processed in Austria under EU law. WACA Silver certified by T\u00dcV Austria against WCAG 2.2 AA.<\/p>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-de3b580a wp-block-buttons-is-layout-flex\" style=\"margin-top:3rem\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link has-body-text-color has-background-background-color has-text-color has-background wp-element-button\" href=\"https:\/\/www.captcha.eu\/login\">Start free trial<\/a><\/div>\n\n\n\n<div class=\"wp-block-button is-style-outline is-style-outline--1\"><a class=\"wp-block-button__link has-background-color has-text-color wp-element-button\" href=\"https:\/\/www.captcha.eu\/what-is-login-abuse\/\">See how login abuse works<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-essential-blocks-feature-list  root-eb-feature-list-qzvf2\"><div class=\"eb-parent-wrapper eb-parent-eb-feature-list-qzvf2 \"><div class=\"eb-feature-list-qzvf2 eb-feature-list-wrapper eb-icon-position-left eb-tablet-icon-position-left eb-mobile-icon-position-left eb-feature-list-left\"><ul class=\"eb-feature-list-items circle stacked\"><li class=\"eb-feature-list-item\" data-new-tab=\"false\" data-icon-type=\"icon\" data-icon=\"fas fa-3\" data-icon-color=\"\" data-link=\"\"><div class=\"eb-feature-list-icon-box\"><div class=\"eb-feature-list-icon-inner\"><span class=\"eb-feature-list-icon\" style=\"color:\"><i icon=\"fas fa-3\" class=\"fas fa-3 \"><\/i><\/span><\/div><\/div><div class=\"eb-feature-list-content-box\"><h3 class=\"eb-feature-list-title\">Breached-password screening<\/h3><p class=\"eb-feature-list-content\">This defence is underused and highly effective. When a user creates an account or changes their password, your system checks the new password against a database of credentials known to have been exposed in prior data breaches. If it finds a match, it rejects the password and asks the user to choose a different one.\n\nThe New York State Attorney General&#8217;s credential stuffing investigation identified breached-password screening as one of the most impactful controls available to operators, specifically because it prevents users from creating accounts with passwords that are already circulating in attacker databases. The service Have I Been Pwned offers a free API for exactly this purpose, allowing you to check passwords against billions of known breached credentials without transmitting the actual password.\n\nThis control does not stop an attack already in progress, but it reduces your exposure significantly over time by eliminating your most vulnerable accounts before attackers reach them.<\/p><\/div><\/li><li class=\"eb-feature-list-item\" data-new-tab=\"false\" data-icon-type=\"icon\" data-icon=\"fas fa-4\" data-icon-color=\"\" data-link=\"\"><div class=\"eb-feature-list-icon-box\"><div class=\"eb-feature-list-icon-inner\"><span class=\"eb-feature-list-icon\" style=\"color:\"><i icon=\"fas fa-4\" class=\"fas fa-4 \"><\/i><\/span><\/div><\/div><div class=\"eb-feature-list-content-box\"><h3 class=\"eb-feature-list-title\">Rate limiting and anomaly detection<\/h3><p class=\"eb-feature-list-content\">Standard IP-based rate limiting (blocking an IP after a set number of failed login attempts) is less effective against credential stuffing than against brute force, because each IP in a stuffing campaign typically makes only one or two requests. However, rate limiting still has an important role when applied thoughtfully.\n\nThe more effective approach combines per-account thresholds with global anomaly detection. Per-account thresholds flag when the same account receives login attempts from many different IPs in a short window. Global anomaly detection flags when your login endpoint suddenly receives significantly more traffic than baseline, even if no individual account or IP is behaving suspiciously. Together, these patterns catch distributed campaigns that evade simple IP rate limiting.\n\nAdditional signals worth monitoring: login attempts that come from known proxy or hosting provider IP ranges, logins from unusual geographic locations for existing accounts, and successful logins immediately followed by account detail changes. The OWASP Credential Stuffing Cheat Sheet recommends combining multiple signals rather than relying on any single threshold.<\/p><\/div><\/li><li class=\"eb-feature-list-item\" data-new-tab=\"false\" data-icon-type=\"icon\" data-icon=\"fas fa-5\" data-icon-color=\"\" data-link=\"\"><div class=\"eb-feature-list-icon-box\"><div class=\"eb-feature-list-icon-inner\"><span class=\"eb-feature-list-icon\" style=\"color:\"><i icon=\"fas fa-5\" class=\"fas fa-5 \"><\/i><\/span><\/div><\/div><div class=\"eb-feature-list-content-box\"><h3 class=\"eb-feature-list-title\">Consistent error messages on login failure<\/h3><p class=\"eb-feature-list-content\">This is a small detail that matters more than it appears. If your login page returns different messages for &#8220;wrong password&#8221; versus &#8220;account does not exist,&#8221; attackers can use those differences to validate which usernames in their list are real accounts. A simple change: always return the same generic message regardless of whether the username exists or the password is wrong. &#8220;Email address or password is incorrect&#8221; reveals nothing. &#8220;We could not find an account with that email address&#8221; is a gift to an attacker building a validated username list.\n\nThe same logic applies to password reset flows. Returning different responses for valid versus invalid email addresses allows attackers to enumerate your user base with no login credentials at all.<\/p><\/div><\/li><li class=\"eb-feature-list-item\" data-new-tab=\"false\" data-icon-type=\"icon\" data-icon=\"fas fa-6\" data-icon-color=\"\" data-link=\"\"><div class=\"eb-feature-list-icon-box\"><div class=\"eb-feature-list-icon-inner\"><span class=\"eb-feature-list-icon\" style=\"color:\"><i icon=\"fas fa-6\" class=\"fas fa-6 \"><\/i><\/span><\/div><\/div><div class=\"eb-feature-list-content-box\"><h3 class=\"eb-feature-list-title\">User notification and monitoring<\/h3><p class=\"eb-feature-list-content\">Even with all of the above in place, some attacks will succeed. Fast detection limits the damage. The most effective monitoring signals for credential stuffing are different from those for brute force. Look for: a general increase in login volume without a corresponding increase in successful logins, successful logins from unfamiliar geographic locations or devices for established accounts, account detail changes (email address, password, shipping address) shortly after login, and elevated password reset request rates.\n\nNotify users immediately when their account is logged into from a new device or location. Give users visibility into their recent login history. If they can see that someone in another country logged in at 3am, they can take action before the attacker does lasting damage. This also shifts some of the detection burden from your security team to your users, which scales better than centralised monitoring alone.<\/p><\/div><\/li><\/ul><\/div><\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-where-to-start-which-endpoints-to-protect-first\">Where to start: which endpoints to protect first<\/h3>\n\n\n\n<p>Apply these defences to your highest-risk flows first. Login forms are the primary target, because a successful credential stuffing login gives the attacker full account access immediately. After login, prioritise password reset flows, where different responses for valid versus invalid email addresses let attackers enumerate real accounts without needing any credentials. Then API authentication endpoints, which often lack the protections applied to web login forms. Finally, registration forms, where successful stuffing can create fake or cloned accounts. Protect in that order and you cover the vast majority of credential stuffing attack surface.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading has-text-color has-link-color has-large-font-size wp-elements-a7c16e70b428f6443b3a98604e12422e\" id=\"h-if-an-attack-is-already-running-immediate-steps\" style=\"color:#2b7ca4\">If an attack is already running: immediate steps<\/h2>\n\n\n\n<p>Detecting a credential stuffing attack in progress requires different signals than you might expect. Because individual requests look normal, the clearest signs are volume-level patterns: a sudden spike in login traffic, an unusual ratio of successful to failed logins, or new accounts being created with patterns that suggest automation (sequential usernames, identical browser signatures, bulk registrations in a short window).<\/p>\n\n\n\n<p>If you identify an active attack, this sequence limits the damage:<\/p>\n\n\n\n<div class=\"wp-block-essential-blocks-feature-list  root-eb-feature-list-izkoq\"><div class=\"eb-parent-wrapper eb-parent-eb-feature-list-izkoq \"><div class=\"eb-feature-list-izkoq eb-feature-list-wrapper eb-icon-position-left eb-tablet-icon-position-left eb-mobile-icon-position-left eb-feature-list-left\"><ul class=\"eb-feature-list-items circle stacked\"><li class=\"eb-feature-list-item\" data-new-tab=\"false\" data-icon-type=\"icon\" data-icon=\"fas fa-check\" data-icon-color=\"\" data-link=\"\"><div class=\"eb-feature-list-icon-box\"><div class=\"eb-feature-list-icon-inner\"><span class=\"eb-feature-list-icon\" style=\"color:\"><i icon=\"fas fa-check\" class=\"fas fa-check \"><\/i><\/span><\/div><\/div><div class=\"eb-feature-list-content-box\"><h3 class=\"eb-feature-list-title\">Enable or tighten CAPTCHA immediately.<\/h3><p class=\"eb-feature-list-content\">Even deploying proof-of-work CAPTCHA mid-attack raises the cost for bots still submitting attempts and can slow or stop the campaign within minutes.<\/p><\/div><\/li><li class=\"eb-feature-list-item\" data-new-tab=\"false\" data-icon-type=\"icon\" data-icon=\"fas fa-check\" data-icon-color=\"\" data-link=\"\"><div class=\"eb-feature-list-icon-box\"><div class=\"eb-feature-list-icon-inner\"><span class=\"eb-feature-list-icon\" style=\"color:\"><i icon=\"fas fa-check\" class=\"fas fa-check \"><\/i><\/span><\/div><\/div><div class=\"eb-feature-list-content-box\"><h3 class=\"eb-feature-list-title\">Apply temporary geo-blocking or proxy blocking on the login endpoint.<\/h3><p class=\"eb-feature-list-content\">Credential stuffing traffic frequently routes through hosting provider ranges and open proxies. Cloudflare and similar services publish IP lists for these. Blocking them is imperfect but buys time.<\/p><\/div><\/li><li class=\"eb-feature-list-item\" data-new-tab=\"false\" data-icon-type=\"icon\" data-icon=\"fas fa-check\" data-icon-color=\"\" data-link=\"\"><div class=\"eb-feature-list-icon-box\"><div class=\"eb-feature-list-icon-inner\"><span class=\"eb-feature-list-icon\" style=\"color:\"><i icon=\"fas fa-check\" class=\"fas fa-check \"><\/i><\/span><\/div><\/div><div class=\"eb-feature-list-content-box\"><h3 class=\"eb-feature-list-title\">Force MFA or re-authentication on accounts showing anomalous activity.<\/h3><p class=\"eb-feature-list-content\">Any account that received a successful login from an unusual location or device should be challenged before the session continues.<\/p><\/div><\/li><li class=\"eb-feature-list-item\" data-new-tab=\"false\" data-icon-type=\"icon\" data-icon=\"fas fa-check\" data-icon-color=\"\" data-link=\"\"><div class=\"eb-feature-list-icon-box\"><div class=\"eb-feature-list-icon-inner\"><span class=\"eb-feature-list-icon\" style=\"color:\"><i icon=\"fas fa-check\" class=\"fas fa-check \"><\/i><\/span><\/div><\/div><div class=\"eb-feature-list-content-box\"><h3 class=\"eb-feature-list-title\">Reset passwords for accounts showing suspicious successful logins. <\/h3><p class=\"eb-feature-list-content\">Notify affected users with clear instructions. Be specific: explain that their credentials may have been exposed in a prior breach elsewhere, and that they should not use the same password on other services.<\/p><\/div><\/li><li class=\"eb-feature-list-item\" data-new-tab=\"false\" data-icon-type=\"icon\" data-icon=\"fas fa-check\" data-icon-color=\"\" data-link=\"\"><div class=\"eb-feature-list-icon-box\"><div class=\"eb-feature-list-icon-inner\"><span class=\"eb-feature-list-icon\" style=\"color:\"><i icon=\"fas fa-check\" class=\"fas fa-check \"><\/i><\/span><\/div><\/div><div class=\"eb-feature-list-content-box\"><h3 class=\"eb-feature-list-title\">Check for downstream activity in compromised accounts.<\/h3><p class=\"eb-feature-list-content\">Account detail changes, payment method additions, stored-value redemptions, and data exports are the actions an attacker takes after getting in. Review these in the window surrounding the attack.<\/p><\/div><\/li><li class=\"eb-feature-list-item\" data-new-tab=\"false\" data-icon-type=\"icon\" data-icon=\"fas fa-check\" data-icon-color=\"\" data-link=\"\"><div class=\"eb-feature-list-icon-box\"><div class=\"eb-feature-list-icon-inner\"><span class=\"eb-feature-list-icon\" style=\"color:\"><i icon=\"fas fa-check\" class=\"fas fa-check \"><\/i><\/span><\/div><\/div><div class=\"eb-feature-list-content-box\"><h3 class=\"eb-feature-list-title\">Preserve your logs for the full attack window.<\/h3><p class=\"eb-feature-list-content\">Under GDPR and NIS2, you may have notification obligations if personal data was accessed. Raw logs are the foundation of any incident response or regulatory filing.<\/p><\/div><\/li><\/ul><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-group has-vivid-cyan-blue-background-color has-background is-content-justification-center is-layout-constrained wp-block-group-is-layout-constrained\" style=\"padding-top:2rem;padding-bottom:2rem\">\n<h3 class=\"wp-block-heading has-text-align-center has-background-color has-text-color has-large-font-size\" id=\"h-add-captcha-eu-to-your-login-flow-in-minutes\">Add CAPTCHA.eu to your login flow in minutes<\/h3>\n\n\n\n<p class=\"has-text-align-center has-background-color has-text-color\">WordPress, TYPO3, Keycloak, Magento, and custom stacks. Austria-hosted, cookieless, no puzzles for real users. 100 free requests to start.<\/p>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-de3b580a wp-block-buttons-is-layout-flex\" style=\"margin-top:3rem\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link has-body-text-color has-background-background-color has-text-color has-background wp-element-button\" href=\"https:\/\/www.captcha.eu\/login\">Start free trial<\/a><\/div>\n\n\n\n<div class=\"wp-block-button is-style-outline is-style-outline--2\"><a class=\"wp-block-button__link has-background-color has-text-color wp-element-button\" href=\"https:\/\/docs.captcha.eu\/\">See all integrations<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading has-text-color has-link-color has-large-font-size wp-elements-1977b1634e67e4129895b4db9ed2bf77\" id=\"h-the-eu-dimension-why-credential-stuffing-is-a-gdpr-issue\" style=\"color:#2b7ca4\">The EU dimension: why credential stuffing is a GDPR issue<\/h2>\n\n\n\n<p>For European website operators, a successful credential stuffing attack is not just a security incident. Under the GDPR, unauthorised access to personal data in user accounts constitutes a personal data breach and triggers a 72-hour notification obligation to your supervisory authority, as well as potential notification to affected users. The 23andMe case resulted in regulatory investigations by the UK Information Commissioner&#8217;s Office and the Office of the Privacy Commissioner of Canada, partly because the detection failure prevented timely breach notification.<\/p>\n\n\n\n<p>This has a direct implication for how you think about credential stuffing defences. Deploying CAPTCHA and MFA is not only a security decision. It is also part of your GDPR Article 32 obligation to implement &#8220;appropriate technical measures&#8221; to protect personal data. Failing to do so, and subsequently suffering a breach, puts you in a difficult position during regulatory review.<\/p>\n\n\n\n<p>The choice of CAPTCHA also has compliance implications. Traditional CAPTCHA services typically set tracking cookies on login pages, which triggers ePrivacy consent requirements and adds complexity to your consent management setup. CAPTCHA.eu operates without cookies by architecture, removing that compliance question entirely for operators who want bot protection without consent overhead on authentication flows.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading has-text-color has-link-color has-large-font-size wp-elements-5ce9e574cfb454ba3d1a1aa741d21fde\" id=\"h-frequently-asked-questions\" style=\"color:#2b7ca4\">Frequently Asked Questions<\/h2>\n\n\n\n<div class=\"wp-block-premium-accordion premium-accordion premium-accordion-d1b89786d399\">\n<div class=\"wp-block-premium-accordion-item premium-accordion-item-94a9b4f008ee premium-accordion__content_wrap\"><div class=\"premium-accordion__title_wrap premium-accordion__ltr premium-accordion__out\"><div class=\"premium-accordion__title\"><h4 class=\"premium-accordion__title_text\">What is credential stuffing in simple terms?<\/h4><\/div><div class=\"premium-accordion__icon_wrap\"><svg class=\"premium-accordion__icon\" role=\"img\" focusable=\"false\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 20 20\"><polygon points=\"16.7,3.3 10,10 3.3,3.4 0,6.7 10,16.7 10,16.6 20,6.7 \"><\/polygon><\/svg><\/div><\/div><div class=\"premium-accordion__desc_wrap\"><p class=\"premium-accordion__desc\">Credential stuffing is when attackers take usernames and passwords stolen from one website and automatically try them on other websites. It works because many people reuse the same password across multiple services. The attacker does not guess. They use real credentials that already worked somewhere else.<\/p><\/div><\/div>\n\n\n\n<div class=\"wp-block-premium-accordion-item premium-accordion-item-45554a0c1ecb premium-accordion__content_wrap\"><div class=\"premium-accordion__title_wrap premium-accordion__ltr premium-accordion__out\"><div class=\"premium-accordion__title\"><h4 class=\"premium-accordion__title_text\">How is credential stuffing different from a brute force attack?<\/h4><\/div><div class=\"premium-accordion__icon_wrap\"><svg class=\"premium-accordion__icon\" role=\"img\" focusable=\"false\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 20 20\"><polygon points=\"16.7,3.3 10,10 3.3,3.4 0,6.7 10,16.7 10,16.6 20,6.7 \"><\/polygon><\/svg><\/div><\/div><div class=\"premium-accordion__desc_wrap\"><p class=\"premium-accordion__desc\">Brute force attacks guess passwords through trial and error, trying combinations until one works. Credential stuffing uses known, working passwords from prior breaches. Brute force is easy to detect because it generates many failed login attempts. Credential stuffing is much harder to spot because the credentials are correct and the traffic looks like legitimate users logging in.<\/p><\/div><\/div>\n\n\n\n<div class=\"wp-block-premium-accordion-item premium-accordion-item-3630cdc62349 premium-accordion__content_wrap\"><div class=\"premium-accordion__title_wrap premium-accordion__ltr premium-accordion__out\"><div class=\"premium-accordion__title\"><h4 class=\"premium-accordion__title_text\">Does CAPTCHA stop credential stuffing?<\/h4><\/div><div class=\"premium-accordion__icon_wrap\"><svg class=\"premium-accordion__icon\" role=\"img\" focusable=\"false\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 20 20\"><polygon points=\"16.7,3.3 10,10 3.3,3.4 0,6.7 10,16.7 10,16.6 20,6.7 \"><\/polygon><\/svg><\/div><\/div><div class=\"premium-accordion__desc_wrap\"><p class=\"premium-accordion__desc\">Yes, but the type matters. Traditional image-based CAPTCHA is increasingly bypassed by AI-powered solving tools. Proof-of-work CAPTCHA is more effective because it requires a cryptographic computation for every login attempt, raising the cost of running a large-scale stuffing campaign regardless of the attacker&#8217;s image-recognition capability. CAPTCHA works best as one layer among several, combined with MFA and anomaly detection.<\/p><\/div><\/div>\n\n\n\n<div class=\"wp-block-premium-accordion-item premium-accordion-item-3104f8008901 premium-accordion__content_wrap\"><div class=\"premium-accordion__title_wrap premium-accordion__ltr premium-accordion__out\"><div class=\"premium-accordion__title\"><h4 class=\"premium-accordion__title_text\">What is the most effective defence against credential stuffing?<\/h4><\/div><div class=\"premium-accordion__icon_wrap\"><svg class=\"premium-accordion__icon\" role=\"img\" focusable=\"false\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 20 20\"><polygon points=\"16.7,3.3 10,10 3.3,3.4 0,6.7 10,16.7 10,16.6 20,6.7 \"><\/polygon><\/svg><\/div><\/div><div class=\"premium-accordion__desc_wrap\"><p class=\"premium-accordion__desc\">MFA is the single strongest control because it stops account takeover even when the attacker has the correct password. Beyond MFA, the most impactful combination is: proof-of-work CAPTCHA on login endpoints, breached-password screening at registration and password change, and anomaly monitoring for unusual login patterns. No single layer is sufficient on its own.<\/p><\/div><\/div>\n\n\n\n<div class=\"wp-block-premium-accordion-item premium-accordion-item-b917c9705657 premium-accordion__content_wrap\"><div class=\"premium-accordion__title_wrap premium-accordion__ltr premium-accordion__out\"><div class=\"premium-accordion__title\"><h4 class=\"premium-accordion__title_text\">How do I know if my website is under a credential stuffing attack?<\/h4><\/div><div class=\"premium-accordion__icon_wrap\"><svg class=\"premium-accordion__icon\" role=\"img\" focusable=\"false\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 20 20\"><polygon points=\"16.7,3.3 10,10 3.3,3.4 0,6.7 10,16.7 10,16.6 20,6.7 \"><\/polygon><\/svg><\/div><\/div><div class=\"premium-accordion__desc_wrap\"><p class=\"premium-accordion__desc\">Unlike brute force, credential stuffing does not generate obvious failed login spikes on single accounts. The clearest signals are: a general increase in login volume without a matching increase in page activity, successful logins from unusual locations or devices for established accounts, account detail changes shortly after login, and elevated password reset request rates. Modern CAPTCHA dashboards provide verification volume data that can surface unusual traffic patterns early.<\/p><\/div><\/div>\n\n\n\n<div class=\"wp-block-premium-accordion-item premium-accordion-item-92f7b511a893 premium-accordion__content_wrap\"><div class=\"premium-accordion__title_wrap premium-accordion__ltr premium-accordion__out\"><div class=\"premium-accordion__title\"><h4 class=\"premium-accordion__title_text\">Is credential stuffing a GDPR issue for European websites?<\/h4><\/div><div class=\"premium-accordion__icon_wrap\"><svg class=\"premium-accordion__icon\" role=\"img\" focusable=\"false\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 20 20\"><polygon points=\"16.7,3.3 10,10 3.3,3.4 0,6.7 10,16.7 10,16.6 20,6.7 \"><\/polygon><\/svg><\/div><\/div><div class=\"premium-accordion__desc_wrap\"><p class=\"premium-accordion__desc\">Yes. If a credential stuffing attack results in unauthorised access to user account data, that is a personal data breach under the GDPR. It triggers a 72-hour notification obligation to your supervisory authority and potentially to affected users. Deploying appropriate technical controls, including CAPTCHA and MFA, is part of your GDPR Article 32 obligation to protect personal data with suitable technical measures.<\/p><\/div><\/div>\n\n\n\n<div class=\"wp-block-premium-accordion-item premium-accordion-item-fc02fe0bfc51 premium-accordion__content_wrap\"><div class=\"premium-accordion__title_wrap premium-accordion__ltr premium-accordion__out\"><div class=\"premium-accordion__title\"><h4 class=\"premium-accordion__title_text\">Does a strong password policy prevent credential stuffing?<\/h4><\/div><div class=\"premium-accordion__icon_wrap\"><svg class=\"premium-accordion__icon\" role=\"img\" focusable=\"false\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 20 20\"><polygon points=\"16.7,3.3 10,10 3.3,3.4 0,6.7 10,16.7 10,16.6 20,6.7 \"><\/polygon><\/svg><\/div><\/div><div class=\"premium-accordion__desc_wrap\"><p class=\"premium-accordion__desc\">No. Password policy protects against brute force by making guessing harder. Against credential stuffing, it provides almost no protection. The attacker already has a working password. What does help is breached-password screening (preventing users from setting passwords that have already been exposed in prior breaches) and MFA (making a correct password insufficient on its own).<\/p><\/div><\/div>\n\n\n\n<div class=\"wp-block-premium-accordion-item premium-accordion-item-ae54938fbeea premium-accordion__content_wrap\"><div class=\"premium-accordion__title_wrap premium-accordion__ltr premium-accordion__out\"><div class=\"premium-accordion__title\"><h4 class=\"premium-accordion__title_text\">What flows should I prioritise for credential stuffing protection?<\/h4><\/div><div class=\"premium-accordion__icon_wrap\"><svg class=\"premium-accordion__icon\" role=\"img\" focusable=\"false\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 20 20\"><polygon points=\"16.7,3.3 10,10 3.3,3.4 0,6.7 10,16.7 10,16.6 20,6.7 \"><\/polygon><\/svg><\/div><\/div><div class=\"premium-accordion__desc_wrap\"><p class=\"premium-accordion__desc\">Login forms are the primary target. But also protect: password reset flows (where different responses for valid versus invalid emails let attackers validate usernames), registration forms (where the same logic applies), and API authentication endpoints (which often lack the protections applied to web login forms). Prioritise in that order.<\/p><\/div><\/div>\n<\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading has-text-color has-link-color has-large-font-size wp-elements-35238059df35ed9dad481dbef77b1fc7\" id=\"h-related-reading\" style=\"color:#2b7ca4\">Related reading<\/h2>\n\n\n<div class=\"root-eb-post-carousel-2ei7e wp-block-essential-blocks-post-carousel\">\n    <div class=\"eb-parent-wrapper eb-parent-eb-post-carousel-2ei7e \">\n        <div class=\"eb-post-carousel-2ei7e style-2 slick-arrows equal-height dot-style-1 eb-post-carousel-wrapper\"\n            data-id=\"eb-post-carousel-2ei7e\"\n            data-querydata=\"a:13:{s:6:&quot;source&quot;;s:4:&quot;post&quot;;s:11:&quot;sourceIndex&quot;;i:0;s:9:&quot;rest_base&quot;;s:5:&quot;posts&quot;;s:14:&quot;rest_namespace&quot;;s:5:&quot;wp\/v2&quot;;s:6:&quot;author&quot;;s:0:&quot;&quot;;s:10:&quot;taxonomies&quot;;a:0:{}s:8:&quot;per_page&quot;;s:1:&quot;6&quot;;s:6:&quot;offset&quot;;s:1:&quot;0&quot;;s:7:&quot;orderby&quot;;s:4:&quot;date&quot;;s:5:&quot;order&quot;;s:4:&quot;desc&quot;;s:7:&quot;include&quot;;s:263:&quot;[{&quot;value&quot;:3604,&quot;label&quot;:&quot;How to Prevent Brute Force Attacks on Your Website&quot;},{&quot;value&quot;:2140,&quot;label&quot;:&quot;What is Credential Stuffing?&quot;},{&quot;value&quot;:1943,&quot;label&quot;:&quot;What is Account Takeover Fraud (ATO)?&quot;},{&quot;value&quot;:3326,&quot;label&quot;:&quot;Is Google reCAPTCHA GDPR-Compliant in 2026?&quot;}]&quot;;s:7:&quot;exclude&quot;;s:0:&quot;&quot;;s:15:&quot;exclude_current&quot;;b:0;}\"\n            data-slidersettings=\"{&quot;arrows&quot;:true,&quot;dots&quot;:true,&quot;autoplaySpeed&quot;:3000,&quot;speed&quot;:500,&quot;adaptiveHeight&quot;:true,&quot;autoplay&quot;:true,&quot;infinite&quot;:true,&quot;pauseOnHover&quot;:true,&quot;slideToShowRange&quot;:3,&quot;leftArrowIcon&quot;:&quot;fas fa-chevron-circle-left&quot;,&quot;rightArrowIcon&quot;:&quot;fas fa-chevron-circle-right&quot;,&quot;addIcon&quot;:false,&quot;showFallbackImg&quot;:false,&quot;fallbackImgUrl&quot;:&quot;&quot;,&quot;TABslideToShowRange&quot;:2,&quot;MOBslideToShowRange&quot;:1}\"\n            data-attributes=\"{&quot;preset&quot;:&quot;style-2&quot;,&quot;showThumbnail&quot;:true,&quot;showTitle&quot;:true,&quot;titleLength&quot;:&quot;10&quot;,&quot;titleTag&quot;:&quot;h2&quot;,&quot;showContent&quot;:true,&quot;contentLength&quot;:20,&quot;expansionIndicator&quot;:&quot;...&quot;,&quot;showReadMore&quot;:true,&quot;readmoreText&quot;:&quot;Read More&quot;,&quot;showMeta&quot;:true,&quot;headerMeta&quot;:&quot;[]&quot;,&quot;footerMeta&quot;:&quot;[]&quot;,&quot;authorPrefix&quot;:&quot;by&quot;,&quot;datePrefix&quot;:&quot;&quot;,&quot;showBlockContent&quot;:true,&quot;leftArrowIcon&quot;:&quot;fas fa-chevron-circle-left&quot;,&quot;rightArrowIcon&quot;:&quot;fas fa-chevron-circle-right&quot;,&quot;showFallbackImg&quot;:false}\">\n\n            <div class=\"eb-post-carousel init-eb-post-carousel-2ei7e\"\n                data-id=\"eb-post-carousel-2ei7e\">\n                <article class=\"ebpg-carousel-post ebpg-post-carousel-column\" data-id=\"3604\"><div class=\"ebpg-carousel-post-holder\"><div class=\"ebpg-entry-media\">\n                <div class=\"ebpg-entry-thumbnail\">\n                    <a class=\"ebpg-post-link-wrapper eb-sr-only\" href=\"https:\/\/www.captcha.eu\/it\/come-prevenire-gli-attacchi-brute-force-sul-vostro-sito-web\/\">How to Prevent Brute Force Attacks on Your Website<\/a>\n                    <img loading=\"lazy\" decoding=\"async\" width=\"1920\" height=\"1080\" src=\"https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu_-1.jpg\" class=\"attachment-full size-full not-transparent\" alt=\"Digital illustration of a website login form protected by layered defenses including CAPTCHA, monitoring, rate limiting, multi-factor authentication, and firewalls, with automated bot traffic being filtered and only verified users gaining access.\" data-has-transparency=\"false\" data-dominant-color=\"dde5f4\" style=\"--dominant-color: #dde5f4\" \/>\n                <\/div>\n            <\/div><div class=\"ebpg-entry-wrapper\"><div class=\"ebpg-entry-meta ebpg-header-meta\"><div class=\"ebpg-entry-meta-items\"><\/div><\/div><header class=\"ebpg-entry-header\">\n            <h2 class=\"ebpg-entry-title\">\n                <a class=\"ebpg-carousel-post-link\" href=\"https:\/\/www.captcha.eu\/it\/come-prevenire-gli-attacchi-brute-force-sul-vostro-sito-web\/\" title=\"How to Prevent Brute Force Attacks on Your Website\">How to Prevent Brute Force Attacks on Your Website<\/a>\n            <\/h2>\n        <\/header><div class=\"ebpg-entry-content\"><div class=\"ebpg-carousel-post-excerpt\">\n            <p>Brute force attacks are one of the most persistent threats to website security. In 2026, they combine stolen credential lists,&#8230;<\/p>\n        <\/div><div class=\"ebpg-readmore-btn\">\n            <a href=\"https:\/\/www.captcha.eu\/it\/come-prevenire-gli-attacchi-brute-force-sul-vostro-sito-web\/\"> Read More <\/a>\n        <\/div><\/div><div class=\"ebpg-entry-meta ebpg-footer-meta\"><div class=\"ebpg-entry-meta-items\"><\/div><\/div><\/div><\/div><\/article><article class=\"ebpg-carousel-post ebpg-post-carousel-column\" data-id=\"3326\"><div class=\"ebpg-carousel-post-holder\"><div class=\"ebpg-entry-media\">\n                <div class=\"ebpg-entry-thumbnail\">\n                    <a class=\"ebpg-post-link-wrapper eb-sr-only\" href=\"https:\/\/www.captcha.eu\/it\/google-recaptcha-e-conforme-al-gdpr-nel-2026\/\">Is Google reCAPTCHA GDPR-Compliant in 2026?<\/a>\n                    <img loading=\"lazy\" decoding=\"async\" width=\"1920\" height=\"1080\" src=\"https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/03\/Design-ohne-Titel-31.jpg\" class=\"attachment-full size-full not-transparent\" alt=\"Illustration exploring GDPR compliance of reCAPTCHA showing a browser with cookie consent, an \u201cI\u2019m not a robot\u201d verification checkbox, data flow connections, an EU shield, and a privacy checklist indicating regulatory review.\" data-has-transparency=\"false\" data-dominant-color=\"d8e3ee\" style=\"--dominant-color: #d8e3ee\" \/>\n                <\/div>\n            <\/div><div class=\"ebpg-entry-wrapper\"><div class=\"ebpg-entry-meta ebpg-header-meta\"><div class=\"ebpg-entry-meta-items\"><\/div><\/div><header class=\"ebpg-entry-header\">\n            <h2 class=\"ebpg-entry-title\">\n                <a class=\"ebpg-carousel-post-link\" href=\"https:\/\/www.captcha.eu\/it\/google-recaptcha-e-conforme-al-gdpr-nel-2026\/\" title=\"Is Google reCAPTCHA GDPR-Compliant in 2026?\">Is Google reCAPTCHA GDPR-Compliant in 2026?<\/a>\n            <\/h2>\n        <\/header><div class=\"ebpg-entry-content\"><div class=\"ebpg-carousel-post-excerpt\">\n            <p>Google reCAPTCHA changes its legal model on 2 April 2026. However, that does not make every setup automatically GDPR-compliant. Website&#8230;<\/p>\n        <\/div><div class=\"ebpg-readmore-btn\">\n            <a href=\"https:\/\/www.captcha.eu\/it\/google-recaptcha-e-conforme-al-gdpr-nel-2026\/\"> Read More <\/a>\n        <\/div><\/div><div class=\"ebpg-entry-meta ebpg-footer-meta\"><div class=\"ebpg-entry-meta-items\"><\/div><\/div><\/div><\/div><\/article><article class=\"ebpg-carousel-post ebpg-post-carousel-column\" data-id=\"2140\"><div class=\"ebpg-carousel-post-holder\"><div class=\"ebpg-entry-media\">\n                <div class=\"ebpg-entry-thumbnail\">\n                    <a class=\"ebpg-post-link-wrapper eb-sr-only\" href=\"https:\/\/www.captcha.eu\/it\/cose-il-credential-stuffing\/\">What is Credential Stuffing?<\/a>\n                    <img loading=\"lazy\" decoding=\"async\" width=\"1920\" height=\"1080\" src=\"https:\/\/www.captcha.eu\/wp-content\/uploads\/2025\/04\/Design-ohne-Titel33.png\" class=\"attachment-full size-full\" alt=\"A flat-style digital illustration visually explaining Credential Stuffing. The image features a woman sitting at a laptop, looking concerned as she monitors various security alerts on the screen. Surrounding the scene are icons symbolizing user credentials, passwords, and potential threats, with warning symbols indicating the risks of unauthorized access.\" \/>\n                <\/div>\n            <\/div><div class=\"ebpg-entry-wrapper\"><div class=\"ebpg-entry-meta ebpg-header-meta\"><div class=\"ebpg-entry-meta-items\"><\/div><\/div><header class=\"ebpg-entry-header\">\n            <h2 class=\"ebpg-entry-title\">\n                <a class=\"ebpg-carousel-post-link\" href=\"https:\/\/www.captcha.eu\/it\/cose-il-credential-stuffing\/\" title=\"What is Credential Stuffing?\">What is Credential Stuffing?<\/a>\n            <\/h2>\n        <\/header><div class=\"ebpg-entry-content\"><div class=\"ebpg-carousel-post-excerpt\">\n            <p>As businesses continue to rely on digital platforms, securing your online presence becomes more important than ever. One common and&#8230;<\/p>\n        <\/div><div class=\"ebpg-readmore-btn\">\n            <a href=\"https:\/\/www.captcha.eu\/it\/cose-il-credential-stuffing\/\"> Read More <\/a>\n        <\/div><\/div><div class=\"ebpg-entry-meta ebpg-footer-meta\"><div class=\"ebpg-entry-meta-items\"><\/div><\/div><\/div><\/div><\/article><article class=\"ebpg-carousel-post ebpg-post-carousel-column\" data-id=\"1943\"><div class=\"ebpg-carousel-post-holder\"><div class=\"ebpg-entry-media\">\n                <div class=\"ebpg-entry-thumbnail\">\n                    <a class=\"ebpg-post-link-wrapper eb-sr-only\" href=\"https:\/\/www.captcha.eu\/it\/cose-la-frode-di-furto-di-account\/\">What is Account Takeover Fraud (ATO)?<\/a>\n                    <img loading=\"lazy\" decoding=\"async\" width=\"1920\" height=\"1080\" src=\"https:\/\/www.captcha.eu\/wp-content\/uploads\/2025\/04\/Design-ohne-Titel12.png\" class=\"attachment-full size-full not-transparent\" alt=\"Illustration of Account Takeover Fraud (ATO) concept, depicting a person experiencing unauthorized access to their online accounts, with visual cues representing security breaches and fraud, such as padlocks, digital locks, and suspicious activity\" data-has-transparency=\"false\" data-dominant-color=\"ced2c9\" style=\"--dominant-color: #ced2c9\" \/>\n                <\/div>\n            <\/div><div class=\"ebpg-entry-wrapper\"><div class=\"ebpg-entry-meta ebpg-header-meta\"><div class=\"ebpg-entry-meta-items\"><\/div><\/div><header class=\"ebpg-entry-header\">\n            <h2 class=\"ebpg-entry-title\">\n                <a class=\"ebpg-carousel-post-link\" href=\"https:\/\/www.captcha.eu\/it\/cose-la-frode-di-furto-di-account\/\" title=\"What is Account Takeover Fraud (ATO)?\">What is Account Takeover Fraud (ATO)?<\/a>\n            <\/h2>\n        <\/header><div class=\"ebpg-entry-content\"><div class=\"ebpg-carousel-post-excerpt\">\n            <p>Have you ever received a strange login alert or a password reset email you didn\u2019t request? If so, you might&#8230;<\/p>\n        <\/div><div class=\"ebpg-readmore-btn\">\n            <a href=\"https:\/\/www.captcha.eu\/it\/cose-la-frode-di-furto-di-account\/\"> Read More <\/a>\n        <\/div><\/div><div class=\"ebpg-entry-meta ebpg-footer-meta\"><div class=\"ebpg-entry-meta-items\"><\/div><\/div><\/div><\/div><\/article>            <\/div>\n        <\/div>\n    <\/div>\n<\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<div class=\"wp-block-essential-blocks-infobox  root-eb-infobox-pn9zo\"><div class=\"eb-parent-wrapper eb-parent-eb-infobox-pn9zo \"><div class=\"eb-infobox-pn9zo eb-infobox-wrapper\"><div class=\"infobox-wrapper-inner\"><div class=\"contents-wrapper\"><h3 class=\"title\">Primary sources<\/h3><p class=\"description\"><a href=\"https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Credential_Stuffing_Prevention_Cheat_Sheet.html\" target=\"_blank\" rel=\"noreferrer noopener\">OWASP Credential Stuffing Prevention Cheat Sheet<\/a>: layered defence recommendations and detection guidance<br><a href=\"https:\/\/ag.ny.gov\/publications\/business-guide-credential-stuffing-attacks\" target=\"_blank\" rel=\"noreferrer noopener\">New York State Attorney General: Business Guide for Credential Stuffing Attacks<\/a>: regulatory investigation findings and control recommendations<br><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/08\/20\/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Security Blog: MFA blocks over 99.9% of account compromise attacks<\/a><br><a href=\"https:\/\/haveibeenpwned.com\/Passwords\" target=\"_blank\" rel=\"noreferrer noopener\">Have I Been Pwned: Pwned Passwords API<\/a>: recommended free tool for breached-password screening at registration and password change<br><a href=\"https:\/\/www.ibm.com\/reports\/data-breach\" target=\"_blank\" rel=\"noreferrer noopener\">IBM Cost of a Data Breach Report 2025<\/a>: $4.44M global average breach cost, 241-day mean time to identify and contain<br><a href=\"https:\/\/www.verizon.com\/business\/resources\/reports\/dbir\/\" target=\"_blank\" rel=\"noreferrer noopener\">Verizon Data Breach Investigations Report 2025<\/a>: stolen credentials involved in approximately one-third of all breach incidents; 88% of breaches within hacking patterns involved use of stolen credentials<br><a href=\"https:\/\/www.sec.gov\/Archives\/edgar\/data\/1804591\/000119312523287449\/d242666d8ka.htm\" target=\"_blank\" rel=\"noreferrer noopener\">23andMe Form 8-K\/A SEC filing, December 2023<\/a>: primary source confirming 14,000 accounts compromised via credential stuffing, 6.9 million users affected via DNA Relatives feature<\/p><\/div><\/div><\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Credential stuffing attacks use real passwords stolen from prior breaches, not guesswork. That makes them faster, harder to detect, and more damaging than brute force. This guide covers the six defences that stop them, what to do if an attack is already running and which endpoints to protect first. At [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3617,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_eb_attr":"","footnotes":""},"categories":[19],"tags":[],"class_list":["post-3616","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-new-blog"],"acf":{"pretitle":"","intern_slug":""},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>How to Prevent Credential Stuffing Attacks on Your Website (2026) - captcha.eu<\/title>\n<meta name=\"description\" content=\"Six defences against credential stuffing: MFA, CAPTCHA, breach screening and more. Practical guide for website operators in 2026.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.captcha.eu\/it\/come-prevenire-gli-attacchi-di-credential-stuffing\/\" \/>\n<meta property=\"og:locale\" content=\"it_IT\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to Prevent Credential Stuffing Attacks on Your Website\" \/>\n<meta property=\"og:description\" content=\"Six defences against credential stuffing: MFA, CAPTCHA, breach screening and more. Practical guide for website operators in 2026.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.captcha.eu\/it\/come-prevenire-gli-attacchi-di-credential-stuffing\/\" \/>\n<meta property=\"og:site_name\" content=\"captcha.eu\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-05T17:24:57+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-05T17:31:18+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Captcha\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@captcha_eu\" \/>\n<meta name=\"twitter:site\" content=\"@captcha_eu\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Captcha\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/\"},\"author\":{\"name\":\"Captcha\",\"@id\":\"https:\/\/www.captcha.eu\/#\/schema\/person\/f1e4886cdd0c5bbbb44279dd0d95445a\"},\"headline\":\"How to Prevent Credential Stuffing Attacks on Your Website\",\"datePublished\":\"2026-04-05T17:24:57+00:00\",\"dateModified\":\"2026-04-05T17:31:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/\"},\"wordCount\":3506,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.captcha.eu\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1.png\",\"articleSection\":[\"Blog\"],\"inLanguage\":\"it-IT\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/\",\"url\":\"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/\",\"name\":\"How to Prevent Credential Stuffing Attacks on Your Website (2026) - captcha.eu\",\"isPartOf\":{\"@id\":\"https:\/\/www.captcha.eu\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1.png\",\"datePublished\":\"2026-04-05T17:24:57+00:00\",\"dateModified\":\"2026-04-05T17:31:18+00:00\",\"description\":\"Six defences against credential stuffing: MFA, CAPTCHA, breach screening and more. Practical guide for website operators in 2026.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/#breadcrumb\"},\"inLanguage\":\"it-IT\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/#primaryimage\",\"url\":\"https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1.png\",\"contentUrl\":\"https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1.png\",\"width\":1920,\"height\":1080,\"caption\":\"captcha.eu\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.captcha.eu\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to Prevent Credential Stuffing Attacks on Your Website\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.captcha.eu\/#website\",\"url\":\"https:\/\/www.captcha.eu\/\",\"name\":\"captcha.eu\",\"description\":\"The GDPR-compliant message protection | captcha.eu\",\"publisher\":{\"@id\":\"https:\/\/www.captcha.eu\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.captcha.eu\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"it-IT\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.captcha.eu\/#organization\",\"name\":\"captcha.eu\",\"url\":\"https:\/\/www.captcha.eu\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\/\/www.captcha.eu\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.captcha.eu\/wp-content\/uploads\/2024\/02\/Captcha_mono-C_Logo.svg\",\"contentUrl\":\"https:\/\/www.captcha.eu\/wp-content\/uploads\/2024\/02\/Captcha_mono-C_Logo.svg\",\"width\":24,\"height\":28,\"caption\":\"captcha.eu\"},\"image\":{\"@id\":\"https:\/\/www.captcha.eu\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/captcha_eu\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.captcha.eu\/#\/schema\/person\/f1e4886cdd0c5bbbb44279dd0d95445a\",\"name\":\"Captcha\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\/\/www.captcha.eu\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/48b669a092d552f5f30202f8da848c93fa4c54f8c2b3167568ed5cbccbe4994a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/48b669a092d552f5f30202f8da848c93fa4c54f8c2b3167568ed5cbccbe4994a?s=96&d=mm&r=g\",\"caption\":\"Captcha\"},\"sameAs\":[\"https:\/\/www.captcha.eu\"],\"url\":\"https:\/\/www.captcha.eu\/it\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Come prevenire gli attacchi di credential stuffing sul vostro sito web (2026) - captcha.eu","description":"Sei difese contro il credential stuffing: MFA, CAPTCHA, screening delle violazioni e altro ancora. Guida pratica per i gestori di siti web nel 2026.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.captcha.eu\/it\/come-prevenire-gli-attacchi-di-credential-stuffing\/","og_locale":"it_IT","og_type":"article","og_title":"How to Prevent Credential Stuffing Attacks on Your Website","og_description":"Six defences against credential stuffing: MFA, CAPTCHA, breach screening and more. Practical guide for website operators in 2026.","og_url":"https:\/\/www.captcha.eu\/it\/come-prevenire-gli-attacchi-di-credential-stuffing\/","og_site_name":"captcha.eu","article_published_time":"2026-04-05T17:24:57+00:00","article_modified_time":"2026-04-05T17:31:18+00:00","og_image":[{"width":1920,"height":1080,"url":"https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1.png","type":"image\/png"}],"author":"Captcha","twitter_card":"summary_large_image","twitter_creator":"@captcha_eu","twitter_site":"@captcha_eu","twitter_misc":{"Written by":"Captcha","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/#article","isPartOf":{"@id":"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/"},"author":{"name":"Captcha","@id":"https:\/\/www.captcha.eu\/#\/schema\/person\/f1e4886cdd0c5bbbb44279dd0d95445a"},"headline":"How to Prevent Credential Stuffing Attacks on Your Website","datePublished":"2026-04-05T17:24:57+00:00","dateModified":"2026-04-05T17:31:18+00:00","mainEntityOfPage":{"@id":"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/"},"wordCount":3506,"commentCount":0,"publisher":{"@id":"https:\/\/www.captcha.eu\/#organization"},"image":{"@id":"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1.png","articleSection":["Blog"],"inLanguage":"it-IT","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/","url":"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/","name":"Come prevenire gli attacchi di credential stuffing sul vostro sito web (2026) - captcha.eu","isPartOf":{"@id":"https:\/\/www.captcha.eu\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/#primaryimage"},"image":{"@id":"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1.png","datePublished":"2026-04-05T17:24:57+00:00","dateModified":"2026-04-05T17:31:18+00:00","description":"Sei difese contro il credential stuffing: MFA, CAPTCHA, screening delle violazioni e altro ancora. Guida pratica per i gestori di siti web nel 2026.","breadcrumb":{"@id":"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/#breadcrumb"},"inLanguage":"it-IT","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/"]}]},{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/#primaryimage","url":"https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1.png","contentUrl":"https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1.png","width":1920,"height":1080,"caption":"captcha.eu"},{"@type":"BreadcrumbList","@id":"https:\/\/www.captcha.eu\/how-to-prevent-credential-stuffing-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.captcha.eu\/"},{"@type":"ListItem","position":2,"name":"How to Prevent Credential Stuffing Attacks on Your Website"}]},{"@type":"WebSite","@id":"https:\/\/www.captcha.eu\/#website","url":"https:\/\/www.captcha.eu\/","name":"captcha.eu","description":"La protezione dei messaggi conforme al GDPR | captcha.eu","publisher":{"@id":"https:\/\/www.captcha.eu\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.captcha.eu\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"it-IT"},{"@type":"Organization","@id":"https:\/\/www.captcha.eu\/#organization","name":"captcha.eu","url":"https:\/\/www.captcha.eu\/","logo":{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/www.captcha.eu\/#\/schema\/logo\/image\/","url":"https:\/\/www.captcha.eu\/wp-content\/uploads\/2024\/02\/Captcha_mono-C_Logo.svg","contentUrl":"https:\/\/www.captcha.eu\/wp-content\/uploads\/2024\/02\/Captcha_mono-C_Logo.svg","width":24,"height":28,"caption":"captcha.eu"},"image":{"@id":"https:\/\/www.captcha.eu\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/captcha_eu"]},{"@type":"Person","@id":"https:\/\/www.captcha.eu\/#\/schema\/person\/f1e4886cdd0c5bbbb44279dd0d95445a","name":"Codice di controllo","image":{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/www.captcha.eu\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/48b669a092d552f5f30202f8da848c93fa4c54f8c2b3167568ed5cbccbe4994a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/48b669a092d552f5f30202f8da848c93fa4c54f8c2b3167568ed5cbccbe4994a?s=96&d=mm&r=g","caption":"Captcha"},"sameAs":["https:\/\/www.captcha.eu"],"url":"https:\/\/www.captcha.eu\/it\/author\/admin\/"}]}},"pbg_featured_image_src":{"full":["https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1.png",1920,1080,false],"thumbnail":["https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1-150x150.png",150,150,true],"medium":["https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1-300x169.png",300,169,true],"medium_large":["https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1-768x432.png",768,432,true],"large":["https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1-1024x576.png",1024,576,true],"1536x1536":["https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1-1536x864.png",1536,864,true],"2048x2048":["https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1.png",1920,1080,false],"trp-custom-language-flag":["https:\/\/www.captcha.eu\/wp-content\/uploads\/2026\/04\/Captcha.eu-1-1-18x10.png",18,10,true]},"pbg_author_info":{"display_name":"Captcha","author_link":"https:\/\/www.captcha.eu\/it\/author\/admin\/","author_img":"<img alt='Captcha' src='https:\/\/secure.gravatar.com\/avatar\/48b669a092d552f5f30202f8da848c93fa4c54f8c2b3167568ed5cbccbe4994a?s=128&#038;d=mm&#038;r=g' srcset='https:\/\/secure.gravatar.com\/avatar\/48b669a092d552f5f30202f8da848c93fa4c54f8c2b3167568ed5cbccbe4994a?s=256&#038;d=mm&#038;r=g 2x' class='avatar avatar-128 photo' height='128' width='128' loading='lazy' decoding='async'\/>"},"pbg_comment_info":" No Comments","pbg_excerpt":"Credential stuffing attacks use real passwords stolen from prior breaches, not guesswork. That makes them faster, harder to detect, and more damaging than brute force. This guide covers the six defences that stop them, what to do if an attack is already running and which endpoints to protect first. At [&hellip;]","_links":{"self":[{"href":"https:\/\/www.captcha.eu\/it\/wp-json\/wp\/v2\/posts\/3616","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.captcha.eu\/it\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.captcha.eu\/it\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.captcha.eu\/it\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.captcha.eu\/it\/wp-json\/wp\/v2\/comments?post=3616"}],"version-history":[{"count":6,"href":"https:\/\/www.captcha.eu\/it\/wp-json\/wp\/v2\/posts\/3616\/revisions"}],"predecessor-version":[{"id":3633,"href":"https:\/\/www.captcha.eu\/it\/wp-json\/wp\/v2\/posts\/3616\/revisions\/3633"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.captcha.eu\/it\/wp-json\/wp\/v2\/media\/3617"}],"wp:attachment":[{"href":"https:\/\/www.captcha.eu\/it\/wp-json\/wp\/v2\/media?parent=3616"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.captcha.eu\/it\/wp-json\/wp\/v2\/categories?post=3616"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.captcha.eu\/it\/wp-json\/wp\/v2\/tags?post=3616"}],"curies":[{"name":"scrivere","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}