Over the past twelve months, the number of reported stolen credentials has reached new records. While the initial data breaches and credential spills made headlines in 2016, the bigger issue for 2017 and beyond is the increasing level of credential stuffing attacks. Given the ongoing and widespread theft of user credentials, every organization needs to consider how to protect users from account takeover resulting from the use of spilled credentials.
3,301,824,415 credentials were reported spilled in 2016.
These spills occurred due to a variety of methods, including breaches of company databases, malware injected directly onto users' devices, and successful phishing attempts.
51 organizations reported a total of 52 credential spills; Yahoo unfortunately had two reported spills.
The spills varied in size, from 100 to one billion credentials, and spanned across all industries, from technology to gaming to government agencies.
Shape Network data reveals that as much as 90% of login traffic on many web and mobile applications can be attributed to credential stuffing attacks.
Cybercriminals use automation in order to rapidly test millions of spilled credentials.
“Observing more than 15.5 million account login attempts during a 4 month period for a major retailer, Shape identified that more than 500,000 accounts were on spilled credential lists.”
Because people reuse passwords, stolen credentials can act as a master key to many online accounts. Criminals use a method of attack known as credential stuffing to rapidly test stolen credentials for password reuse against web and mobile accounts with the intent of account takeover.
The theft of user credentials has ramped up significantly in the past couple of years, in part due to the newfound versatility and value of online credentials. With three billion spilled credentials reported in 2016, every organization with a login form must be prepared for credential stuffing attacks.