OpenAI Credential Stuffing detects credential stuffing attacks against OpenAI accounts by monitoring failed login attempts to the same email address from multiple distinct source IPs within a short window. When the number of unique contributing IPs reaches a defined threshold within a 30-minute dedup window (default 5 IPs), an alert is raised. This behavior differentiates distributed attempts across many IPs from a single-IP brute force, and it complements the related OpenAI.BruteForce.Login.Success rule, which only confirms compromise after a successful login following failures. The rule maps to MITRE ATT&CK T1110.004 (Brute Force: Credential Stuffing). Data is sourced from OpenAI audit logs (OpenAI.Audit) and the rule references checks against failed and potentially successful login events to determine whether account compromise is likely. The included tests simulate multiple distinct-IP failed logins for the same user, a subsequent successful login, and non-login events to validate correct matching behavior and avoid false positives when no login occurs. Runbook steps emphasize investigation of anonymization infrastructure (VPNs, Tor, proxies), cross-referencing audit logs for relevant login events in the past 30 minutes, and reviewing related alerts over the prior week to assess compromise.)