To perform a credential stuffing attack, the tool needs a stolen credential list to run against the targeted web login. These credential lists are simply a file of usernames (usually email addresses) and passwords. If the attacker hasn’t already obtained a batch of them through phishing, they can easily turn to the dark web.