// Threat and defense
Credential stuffing and MFA on the admin panel
The admin panel is the most valuable target
Credential stuffing uses e-mail and password lists leaked from other services to try logging into yours. Because many people reuse passwords, a fraction of those attempts work. And the most valuable target is the admin panel: a compromised admin account usually grants access to all customers at once.
How the attack works
It is not guessing; it is automated reuse at scale.
- Bots test leaked e-mail/password pairs at high volume.
- Login with no rate limiting or detection lets the attack run unnoticed.
- An admin account without MFA falls to a reused password.
- An infostealer on the admin’s machine hands over session and token directly.
How to defend
The defense combines barrier and visibility. MFA for admins cuts most credential stuffing; rate limiting and detection hold the volume; and monitoring privileged access warns when something departs from normal.
- Mandatory MFA for every admin/privileged account.
- Rate limiting, progressive lockout, and anomaly checks at login.
- Alerts on admin login from a new location/device.
- Short admin sessions, with re-authentication for sensitive actions.
When to ask for help
If you have no visibility into who accesses the admin or how login behaves under abuse, a human review (Risk Review) helps prioritize: what to block now, what to monitor, and what needs deeper testing before you grow the base.
Frequently asked questions
Does a strong password solve credential stuffing?
It helps against guessing, but not against reuse: if the same password leaked elsewhere, it is already known. The core defense is MFA, especially on admin.
Is SMS MFA enough?
It is better than nothing, but SMS is vulnerable to SIM swap and interception. Prefer an authenticator app (TOTP) or a security key, especially for admin.
How do I know if I am under credential stuffing?
Spikes in login failures, many attempts across different e-mails from the same IP/range, and successes from unusual locations. Without rate limiting and logs, the attack goes unnoticed — start by measuring.