Your monitoring shows a sudden 10× spike in failed login attempts across thousands of usernames. What is happening and how do you respond?
Expected Points
- ✓Identify this as credential stuffing (not brute force on a single account): distributed IPs, many distinct usernames, and a likely external breach dump in play.2
- ✓Apply immediate rate limiting and IP-based throttling at the edge (CDN/WAF) — block or slow source CIDRs showing high fail rates. Use a CAPTCHA challenge on failed attempts above a threshold.3
- ✓Check whether any attempts succeeded (cross-reference the spike window against successful logins + subsequent suspicious activity like email/password changes, data exports).3
- ✓For any accounts with a successful login followed by immediate account changes, treat as compromised: lock the account, force a password reset, and notify the user.3
- ✓Push MFA prompts or step-up challenges temporarily to reduce risk during the active attack window.2
- ✓Preserve logs with full detail (IPs, user-agents, timing) for forensics and to refine detection signatures.1
- ✓Long-term: integrate Have I Been Pwned / breach-password checking at login, enforce MFA broadly, and implement CAPTCHA + per-account lockout as standard controls.2
A spike of failed logins across many accounts is the classic signature of a credential stuffing attack — an automated tool testing username/password pairs from a breach dump against your login endpoint. The attacker's goal is to find accounts where the victim reused a password from a previously breached site.