Defending Against Credential Stuffing

Credential stuffing is where an attacker uses use names in passvorts or other personal data that was leaked in prior breaches. Of course, it's a little bit hard to defend against this attack because you don't know that your users used the password on other sites. One defence is rit limiting, where a base o only allow a certain number of oftication requests from ip address. The fbi report also lists a few other techniques that you can use to defend against credential stuffing.