Clerk has introduced a new feature called Client Trust, aimed at combating credential stuffing attacks. This comes in response to a recent incident where 625 million passwords were added to the Have I Been Pwned database. For the past two weeks, Clerk faced aggressive attacks where hackers tested millions of stolen passwords using various IP addresses to bypass security measures. Despite mitigating most attacks, the scale of the leaks highlighted that even a high success rate in protection wasn't sufficient. Client Trust addresses this issue by treating every new device as untrusted until the user signs in. If a user inputs a valid password without two-factor authentication and is using a new device, Clerk will require an additional verification step. This could involve a one-time passcode or a magic link, which is determined by the app's settings. The feature aims to provide automatic security without added complexity for developers or users. The goal is to eliminate the trade-off between user experience and security. Client Trust is designed to be unobtrusive when security isn’t a concern but assertive when needed. It provides a safeguard against situations where a user's password has been compromised, ensuring protection even if it appears in a data breach. Client Trust will be included in all Clerk plans and automatically enabled for new applications, while existing ones can activate it with a simple update.