The Auth0 CIC Credential Stuffing detection rule identifies potential credential-stuffing attacks targeting the cross-origin authentication feature in the Okta Customer Identity Cloud (CIC). Credential stuffing is a type of attack where attackers attempt to gain unauthorized access by using leaked usernames and passwords from previous data breaches. Since April 15, 2024, Okta has observed suspicious events indicating attempts to log in with credentials obtained from leaks. This rule tracks anomalous login attempts marked by specific log types such as fcoa (failed cross-origin authentication), scoa (successful cross-origin authentication), and pwd_leak events. When triggered, the rule suggests immediate rotation of compromised user passwords to mitigate the risk of account takeover.