The Real Economics of Credential Stuffing: Low Success, High Impact

(Excerpts from the recently published Special Report, “The Economics of Credential Stuffing Attacks and Account Takeover Fraud” by myNetWatchman)

Credential stuffing has endured because it’s ruthlessly economical.

Attackers take username/password pairs harvested from one breach, or several combined, and automate login attempts across thousands of sites. Even when only a tiny fraction succeed, think 0.00018% to 0.025%, the sheer scale turns pennies into profits and headaches into real losses for businesses (see report pages 1 and 5). The problem persists because consumers, employees, and vendors reuse passwords and criminals can cheaply rent botnets, proxies, and tools that mimic human behavior.

The math favors the adversary.

As the report details, a large-scale campaign can cost around $300 for the total package of credential lists, residential proxies, 2FA-bypass kits, and automation software (page 4). Break-even can happen at ~0.006% success if each compromised account yields just $50 and many accounts are worth far more. At volume, the numbers get staggering: one streaming service saw 773 million credential tests/attacks in a year, producing nearly 2 million successful logins at a 0.0025% hit rate; even a “low” success rate becomes material at internet scale (page 5).

For organizations, the economics cut the other way.

There are direct fraud losses, investigation and remediation costs, and reputational harm. The report cites $13B lost to ATO fraud in 2023 and an average of $4.81M per credential-stuffing attack (pages 4–5). Operationally, bots can clog login flows, ~16.5% of login-page traffic is linked to stuffing, driving latency, downtime, and support load (page 5). Compliance risk compounds the pain: PCI DSS, GDPR, and CCPA enforcement can stack on fines and legal exposure (page 7).

The threat is evolving, too.

AI-powered bots and headless browser automation help attackers solve CAPTCHAs, navigate complex flows, and adapt to defenses (page 6). That means static controls won’t keep up.

What does work is shifting the economics back in your favor. The report recommends a multi-layered defense: credential screening to spot exposed or actively abused credentials, MFA, aggressive rate limiting, device fingerprinting, behavioral biometrics, cooling-off periods for high-risk actions, and zero-trust checks for sensitive steps (pages 8–9).

Real-world outcomes are compelling.

One international ISP drove ATOs down from 3,000/day to 4/day, and the sidebar on page 9 also highlights a 91% detection rate of compromised credentials observed in a multi-channel retailer slashing ATO successes from 532,000 to under 49,000 after implementing myNetWatchman’s AllCreds screening.

If losses from credential stuffing feel inevitable, this report shows it isn’t. You can upend the attacker ROI with layered controls and proactive credential screening at account creation, reset, and login.

Want to view the full report? Download here for all the details.