You are currently allowing your users to choose their own password, and many of them are using the same password they use on other services. There is no other possible way your users are vulnerable to credential stuffing.

t’s important to emphasise that if you don’t reuse passwords, you are literally immune to credential stuffing.

The practice of throwing a bunch of purloined user names and passwords at various services to see what sticks is known as credential stuffing, and it’s hit the media industry particularly hard in recent years.

Credential stuffing is a serious attack vector that is underrated because of its unintuitive nature

Defending against credential stuffing attacks

Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts.