What is Credential Stuffing (Agent)?

Traditional credential stuffing uses botnets to test stolen username/password pairs against login endpoints. Agent credential stuffing is the same attack executed through MCP tools — using the agent's legitimate API access as the attack vector. The agent makes authentication requests through its normal tools, but with attacker-supplied credentials rather than legitimate ones.

AI agents are effective credential stuffing tools because they have legitimate API access (bypassing IP-based rate limiting), they can reason about authentication flows (adapting to different login mechanisms), they operate at machine speed (testing thousands of credential pairs quickly), and their requests look legitimate (coming from a trusted application, not a botnet).

A compromised agent might be manipulated into this through indirect injection — a poisoned data source containing a list of credentials with instructions to "verify" each one. Or a malicious MCP server might expose a tool that claims to "validate user accounts" but actually tests credentials against a target service.

The attack is particularly concerning in enterprise environments where the agent's API access comes with elevated trust — requests from the agent's IP may be allowlisted, rate-limited more generously, or exempted from CAPTCHA challenges that would stop traditional credential stuffing.

Intercept prevents agent-based credential stuffing through rate limiting and argument validation policies. YAML policies can restrict authentication-related tool calls to expected patterns, limit the rate of login attempts, and block bulk parameter patterns indicative of credential lists. The audit trail captures every authentication tool call, enabling rapid detection of stuffing patterns even if individual calls pass validation.