From January through August, 45% of SIRT reported incidents were related to DDoS and 43% were password login attacks. The remaining 12% were reported incidents for things like malware infections, web attacks, or attacks that were not classified.
To perform a credential stuffing attack, the tool needs a stolen credential list to run against the targeted web login. These credential lists are simply a file of usernames (usually email addresses) and passwords. If the attacker hasn’t already obtained a batch of them through phishing, they can easily turn to the dark web.