Credential stuffing automates login attempts using username/password pairs from data breaches — effective because ~60% of people reuse passwords across sites.
Defense: MFA (makes stolen passwords useless), breached password detection (check against HaveIBeenPwned database), rate limiting, CAPTCHA, anomaly detection. Password reuse is the enabler.