Overview of the attack
The credential stuffing campaign began with relatively low-volume probing activity, but quickly escalated on May 17, reaching a peak of 350,000 requests per 3-hour window. After DataDome’s mitigation was deployed, blocking rates spiked and remained consistently high, effectively neutralizing the attack even as it persisted.
Figure 1: Malicious login attempts per 3-hour window
The attackers relied on a static, outdated Edge browser user-agent, repeated header signatures, and an unusually large pool of rotating IPs—common tactics used to mimic human traffic while testing stolen credentials at scale.
