The Great Credential Caper: How to Perform and then Defend Against the (Nearly Impossible) to Defend
Christo Roberts, Dan Hollinger
BSidesSF 2026 · Day 2 · AMC IMAX
In "The Great Credential Caper," Christo Roberts and Dan Hollinger deliver a compelling and timely presentation on the escalating threat of **credential stuffing** attacks, particularly in an era increasingly dominated by **agentic AI**. The talk meticulously dissects how these attacks, which leverage previously breached usernames and passwords, have become significantly easier and more sophisticated for adversaries to execute. They highlight the alarming scale of the problem and demonstrate, through live and video demonstrations, how AI can effortlessly bypass traditional bot detection mechanisms and CAPTCHAs, fundamentally altering the landscape of online security.
AI review
A competent, well-structured BSides talk that does its job: makes credential stuffing visceral and timely by stapling agentic AI onto a well-understood threat. The live demo instinct is right, the layered defense framework is sensible, and the Cloudflare telemetry (41% of logins using breached creds, 95% automated during peak retail) gives it some real grounding. But the research contribution is thin — this is synthesis and demonstration, not original work, and most of the individual pieces (Playwright stealth, CAPTCHA-solving APIs, residential proxies, JA3/JA4) have been covered elsewhere.