There are lots of ways to mitigate against credential stuffing. There are methods to detect botnets accessing your system at scale. There are products like HIBP that can help prevent credential re-use. You can prevent logins from unusual locations with an additional factor ("it looks like you're accessing this website from Croatia when you've only ever logged in from California, check your email for a confirmation code"). You can force MFA if you want to go nuclear.