In April 2020, we published an article warning about credential stuffing. The headline then was 500,000 Zoom accounts sold on hacker forums. We said passwords were the problem. We were right — but we didn't predict how much worse it would get.
The numbers have become staggering
In 2020, credential stuffing was a growing concern. In 2026, it is an industrial-scale operation.
According to the Verizon Data Breach Investigations Report, stolen credentials drove 22% of all data breaches in 2025 — making it the most common initial access vector for the third consecutive year. That is not a trend. That is a structural failure in how we authenticate people.
The scale is difficult to comprehend. In 2025 alone, 1.8 billion credentials were harvested by infostealer malware — programmes like RedLine, Raccoon, and Lumma that silently capture usernames and passwords from infected devices. These credentials flow into dark web markets, get compiled into combolists, and feed automated attack tools that can test millions of login combinations per hour.
The 2025 mega-leak exposed 16 billion credentials in a single data dump. And globally, there are now an estimated 26 billion credential stuffing attempts every month.
The human factor hasn't improved
Despite years of awareness campaigns, 94% of passwords are still reused across sites. That means a single breach — of a forum, a retail site, a forgotten subscription — can cascade into compromised email, banking, and corporate accounts.
88% of web application breaches in 2025 involved stolen credentials. The average credential stuffing breach costs $4.8 million.
The real-world consequences are not abstract. In March 2025, a coordinated credential stuffing attack hit five major Australian superannuation funds. Over 20,000 accounts were compromised, and AUD 500,000 was stolen from retirement savings. The attack used credentials harvested from entirely unrelated breaches — the victims had done nothing wrong on the superannuation platforms themselves.
Why stronger passwords and MFA haven't solved it
The industry response to credential theft has been to demand stronger passwords and layer on multi-factor authentication. Neither addresses the fundamental problem.
Stronger passwords are still passwords. They can still be captured by infostealers, phished by real-time proxy attacks, or included in the next mega-leak. Password managers help, but adoption remains low and they are themselves targets.
SMS-based MFA — the most widely deployed second factor — is vulnerable to SIM swapping, SS7 exploits, and social engineering. Authenticator apps are better, but they still rely on a shared secret that exists on a device. If the device is compromised, the second factor falls with it.
The infostealer supply chain has made this worse. Modern infostealers capture not just passwords but session cookies, MFA tokens, and browser autofill data. They bypass MFA entirely by stealing authenticated sessions rather than credentials.
The fundamental problem
Every authentication method that relies on something that can be stored, transmitted, or replicated has the same fatal flaw: it can be stolen.
Passwords exist in databases. OTPs exist in transit. Session tokens exist in browsers. MFA secrets exist on devices. All of them are data — and data, once created, can be copied.
The question is not how to make credentials harder to steal. It is how to eliminate credentials entirely.
A different approach
Entry was built on this principle. Instead of creating a credential that represents the user, Entry verifies the user directly — through live biometric verification — and generates a single-use cryptographic key that is destroyed the moment the transaction completes.
There is no password to stuff. No token to intercept. No session to hijack. No stored secret to steal. Each verification is bound to a specific person, a specific device, a specific transaction, and a specific moment in time.
In 2020, we said passwords were the problem. Six years and 16 billion stolen credentials later, the evidence is overwhelming. The era of stored credentials — in any form — needs to end.
The technology to replace them already exists.