Rate Limits Don't Stop Distributed Credential Attacks. A Credential Graph Does.
A credential stuffing campaign distributes across thousands of IPs, keeps per-IP volume well below any rate limit, and rotates user agents to evade bot detection. The attack is invisible to per-endpoint rules. Hirefathom's credential graph watches the campaign pattern — total attempt velocity, cross-endpoint credential reuse, and failure-rate deviation — across your entire API surface simultaneously.
What Credential Abuse Actually Looks Like
Credential Stuffing
Automated bots test leaked username/password pairs against your login endpoint. Distributed across botnets, each IP sends only 2-5 attempts — below any per-IP rate limit. Success rate of 0.1-2% against large credential lists translates to thousands of compromised accounts.
Password Spraying
A single weak password (e.g., "Summer2024!") sprayed against thousands of accounts. Targets your most common passwords with minimal per-account attempts to avoid lockout. Often uses valid usernames harvested in a prior enumeration phase.
Account Enumeration
Differentiating "user doesn't exist" from "wrong password" in error responses allows attackers to build a valid username list. Even timing differences (100ms vs 200ms response time) leak user existence. Hirefathom detects the enumeration query pattern, not just timing.
Credential Graph: Cross-Endpoint Visibility
The credential graph maps every credential → endpoint → time relationship across your entire API. A distributed attack that looks like noise at any single endpoint becomes a visible campaign at the graph level.
Cross-IP Velocity Tracking
The graph tracks total attempts per credential across all source IPs. A campaign sending 1 attempt from each of 10,000 IPs creates the same graph signal as 10,000 attempts from a single IP — and triggers the same alert.
Sequence Anomaly Detection
Normal users follow predictable sequences: login → fetch profile → list orders. Credential stuffing bots go login → immediate re-login with new credentials. The sequence graph flags the abnormal rhythm regardless of IP distribution.
Time-Series Baseline
Auth endpoints build a time-series baseline: failure rate, failure distribution, attempt velocity. A stuffing campaign pushing the failure rate from 2% to 60% over 20 minutes is flagged even if no single IP stands out.
Inline Block or Alert
When confidence exceeds threshold, block the campaign request inline before it reaches your auth service. Or alert to Slack/PagerDuty for human review. Per-endpoint configuration means your highest-risk endpoints get the strongest protection.