Credential stuffing costs businesses over $5 billion a year
When usernames and passwords are exposed through a data breach or attack on users, criminals harvest these credentials and test them on a wide range of websites and mobile applications, a practice known as 'credential stuffing'.
A new report by security and anti-fraud specialist Shape Security looks at the lifecycle of stolen credentials and at the damage their use can cause.
The findings show that an average of 15 months elapses between the day credentials are compromised and the day the loss is reported by an organization. This is the most dangerous window of time as criminals can carry out credential stuffing attacks using details that have not yet been identified as compromised, meaning companies have no way of knowing which users are at risk.
"Credential stuffing has become an increasingly popular attack vector powering a robust and complex criminal ecosystem," says Shuman Ghosemajumder, CTO of Shape Security. "Data breaches have become pervasive over the last few years, but what most people don't realize is the domino effect of damage that a single breach is capable of producing. To fight back, organizations have started banding together to build a collective defense to be alerted when credentials stolen from one breach are being used to log in to another, effectively blocking attackers attempting to access their platforms with compromised credentials."
Shape Security observed five different attack groups performing credential stuffing attacks on a top-five US bank's mobile app over the course of two weeks. In total, the attackers targeted 363,000 bank accounts, or approximately 4,000 accounts per day.
In total the US consumer banking industry loses up to $1.7 billion annually as a result of credential stuffing. Based on its research, Shape Security estimates an average of 232.2 million malicious login attempts per day with a 0.05 percent success rate, meaning 116,106 successful account takeover attacks every day with an average of $400 stolen from an individual account.
Credential stuffing attacks account for 80-90 percent of a retailer's login traffic too. One luxury retailer experienced 99 percent attack traffic on their login page in 2017. VBulletin vulnerabilities, misconfigured databases or servers, and malware and phishing campaigns were the top causes for credential spills in 2017. Credential stuffing is estimated to cost US businesses around $5 billion a year overall.
You can find more details in the full report on the Shape Security website.