2017 Credential
Spill Report 

January 2017
This original Shape Security report features key findings about the three billion credentials reported spilled in 2016, an analysis of the scale of credential theft, and insights into how spilled credentials are used in credential stuffing attacks.

Key Findings

Over the past twelve months, the number of reported stolen credentials has reached new records. While the initial data breaches and credential spills made headlines in 2016, the bigger issue for 2017 and beyond is the increasing level of credential stuffing attacks. Given the ongoing and widespread theft of user credentials, every organization needs to consider how to protect users from account takeover resulting from the use of spilled credentials.

3.3 Billion
Stolen Credentials

3,301,824,415 credentials were reported spilled in 2016. 

These spills occurred due to a variety of methods, including breaches of company databases, malware injected directly onto users' devices, and successful phishing attempts. 

52 Spills
Reported in 2016

51 organizations reported a total of 52 credential spills; Yahoo unfortunately had two spills.

The spills varied in size, from 100 to 1B credentials, and spanned across all industries, from technology to gaming to government agencies.

9 out of 10
Login Attempts

Shape Network data reveals that as much as 90% of login traffic on many web and mobile applications can be attributed to credential stuffing attacks.

Cybercriminals use automation in order to rapidly test millions of spilled credentials.

“Observing more than 15.5 million account login attempts during a 4 month period for a major retailer, Shape identified that more than 500,000 accounts were on spilled credential lists.”

-2017 Credential Spill Report

Credential Spills Lead to Credential Stuffing

Because people reuse passwords, stolen credentials can act as a master key to many online accounts. Criminals use a method of attack known as credential stuffing to rapidly test stolen credentials for password reuse against web and mobile accounts with the intent of account takeover.


Top 10 Credential Spills of 2016

The theft of user credentials has ramped up significantly in the past couple of years, in part due to the newfound versatility and value of online credentials. With three billion spilled credentials reported in 2016, every organization with a login form must be prepared for credential stuffing attacks.

Shape Security defends Global 2000 corporations from automated attacks on web and mobile applications. Shape’s platform, covered by 23 US patents, stops fraud and data breaches, including credential stuffing, application DDoS, and unauthorized aggregation. Shape has prevented over $1B in fraud and protects 20% of the world’s in-store mobile payments.