Credential Compromises by the Numbers
Recent statistics show just how much credential stealing has become a staple in the attacker playbook.
January 25, 2019
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt3ccfe0e0310420ee/64f0d4c02263b3639dad222d/01-credentialcompromise.jpg?width=700&auto=webp&quality=80&disable=upscale)
This month's discovery of a massive repository of 773 million stolen email addresses and 21 million stolen passwords offers the industry another valuable piece of evidence about how out-of-control online credential theft has become. And it's backed by many recent statistics that show just how much credential stealing is now a staple in the attacker playbook.
In practice, the bad guys gather as much stolen password data as they can collect from low-hanging fruit — often low-value sites with little protection — which they then use to fuel attacks against better secured targets. Those subsequent attacks typically start with credential stuffing, in which attackers automate the process of recycling the credential information they've stolen from one platform, website, or system and trying it against another.
"Credential-stuffing attacks are much more effective than simple brute forcing, as people often use the same credentials for accessing various systems," according to analysts with Positive Technologies.
Here's a look at some of the statistics that offer a bit of insight into the problem of credential theft and stuffing, and where we are at mitigating these risks.
A recent report by Proofpoint shows that credential compromise via phishing attacks shot up by more than 70% in the past year. It's now the most commonly experienced impact of phishing, above malware infections and loss of data.
One in five data thefts today involve some form of credential theft, according to the recently released "Cybersecurity Threatscape" report from Positive Technologies. Stolen credentials are only beat out by other personal data but far outpace stolen payment card information, medical records, and other corporate IP.
In just a two-month period last year, researchers at Akamai detected 8.3 billion malicious login attempts tied to credential stuffing across their customer base. Most of that credential-stuffing traffic came from low-and-slow attempts meant to fly under the radar, though at times attacks spiked. At one point, for example, researchers saw 300,000 login attempts generated per hour by one botnet.
Estimates by researchers at Shape Security peg the cost of credential stuffing hitting US businesses to the tune of $5 billion annually. Some industries feel the brunt more than others. For example, 60% of customer login traffic at airlines was comprised of credential-stuffing attacks, according to Shape research from last year. Similarly, a whopping 91% of retail login was made up of stuffing attacks.
The good news is that security leaders are finally recognizing how big of a problem credential compromises are, and they are working to mitigate the risks through stronger forms of authentication. A study just released by Javelin Strategy & Research and FIDO Alliance found that strong authentication in consumer apps tripled in 2018, and enterprise authentication saw a significant bump as well. Clearly, though, there's plenty of work ahead.
The good news is that security leaders are finally recognizing how big of a problem credential compromises are, and they are working to mitigate the risks through stronger forms of authentication. A study just released by Javelin Strategy & Research and FIDO Alliance found that strong authentication in consumer apps tripled in 2018, and enterprise authentication saw a significant bump as well. Clearly, though, there's plenty of work ahead.
This month's discovery of a massive repository of 773 million stolen email addresses and 21 million stolen passwords offers the industry another valuable piece of evidence about how out-of-control online credential theft has become. And it's backed by many recent statistics that show just how much credential stealing is now a staple in the attacker playbook.
In practice, the bad guys gather as much stolen password data as they can collect from low-hanging fruit — often low-value sites with little protection — which they then use to fuel attacks against better secured targets. Those subsequent attacks typically start with credential stuffing, in which attackers automate the process of recycling the credential information they've stolen from one platform, website, or system and trying it against another.
"Credential-stuffing attacks are much more effective than simple brute forcing, as people often use the same credentials for accessing various systems," according to analysts with Positive Technologies.
Here's a look at some of the statistics that offer a bit of insight into the problem of credential theft and stuffing, and where we are at mitigating these risks.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024