This month's discovery of a massive repository of 773 million stolen email addresses and 21 million stolen passwords offers the industry another valuable piece of evidence about how out-of-control online credential theft has become. And it's backed by many recent statistics that show just how much credential stealing is now a staple in the attacker playbook.
In practice, the bad guys gather as much stolen password data as they can collect from low-hanging fruit — often low-value sites with little protection — which they then use to fuel attacks against better secured targets. Those subsequent attacks typically start with credential stuffing, in which attackers automate the process of recycling the credential information they've stolen from one platform, website, or system and trying it against another.
"Credential-stuffing attacks are much more effective than simple brute forcing, as people often use the same credentials for accessing various systems," according to analysts with Positive Technologies.
Here's a look at some of the statistics that offer a bit of insight into the problem of credential theft and stuffing, and where we are at mitigating these risks.