2018 Credential
Spill Report 

July 2018
We hope you enjoy the report. 
Feedback or questions: [email protected]
Media Inquiries: [email protected]

Key Findings

In the second annual Credential Spill Report, Shape delves into where spilled credentials come from, how criminals weaponize and resell the data, and ways compromised accounts are turned into profits for the criminal underground. The report also drills down into the costs of credential stuffing attacks on companies in various industries that are commonly targeted by attackers.

2.3 Billion
Stolen Credentials

Over 2.3 Billion usernames and passwords were reported spilled from 51 organizations in 2017.

The frequency of credential spills has remained extremely consistent for two years, but the average size of spills in 2017 was lower than in 2016.

$50 Million
Potential Losses Per Day

The US consumer banking industry faces nearly $50 million per day in potential losses from credential stuffing attacks.

After taking into account fraud prevention, actual losses are estimated to be $5 million per day, or over $1.6 billion per year.

15 Months
To Discover Spills

On average, it took fifteen months for a credential spill to become public knowledge.

This window of time is directly related to the cost of a spill - The longer it takes to discover a compromise, the more time attackers have to monetize account takeovers.


Featured by


Shape Security's AI-driven platform protects over 1.5 billion user accounts from imitation attacks across web and mobile applications. Covered by over 55 US patents, Shape's platform proactively prevents fraud, providing peace of mind for the world's largest enterprises.