[xur17]

> Every tech company is losing the war against credential stuffing. I have a friend working at a series B startup with <10k MAU, you wanna know how many login attempts there are each month? 25,000 login attempts. Per user. That's 250m login attempts each month using stolen credentials.

I ran into a similar situation (small, growing startup dealing with credential stuffing attacks). We have since implemented a few different solutions, but one of the most successful was rejecting reused passwords at signup using this service [0].

Some other effective solutions include captchas, emailing a verification code, etc. Aggressive rate limiting was not at all successful, as the botnets seem to have endless piles of residential ip addresses to send requests from.

[0] https://haveibeenpwned.com/Passwords