Answering this question is a little tricky because it depends upon you not only recognizing that each of these options are indeed password attacks but also knowing the details of how each one of them works. Let’s start by knocking off two of the more clearly incorrect answers. First, this is not a brute force attack. A brute force attack attempts every possible password against an account and in this case we have a series of common passwords being used against a lot of accounts. Second, it is not a rainbow table attack. That type of attack requires that the attacker have access to a file containing hashed passwords, which is not the case here. That leaves us with password spraying and credential stuffing: two similar attack types. Password spraying attacks take username and password combinations that were compromised on other sites and use them to attempt logging into the target site, based on the presumption that people will reuse passwords from site to site. Credential stuffing attacks use a series of commonly chosen passwords to attempt to log into a series of accounts. That’s what happened in this scenario.