In the second annual Credential Spill Report, Shape delves into where spilled credentials come from, how criminals weaponize and resell the data, and ways compromised accounts are turned into profits for the criminal underground. The report also drills down into the costs of credential stuffing attacks on companies in various industries that are commonly targeted by attackers.
Over 2.3 Billion usernames and passwords were reported spilled from 51 organizations in 2017.
The frequency of credential spills has remained extremely consistent for two years, but the average size of spills in 2017 was lower than in 2016.
The US consumer banking industry faces nearly $50 million per day in potential losses from credential stuffing attacks.
After taking into account fraud prevention, actual losses are estimated to be $5 million per day, or over $1.6 billion per year.
On average, it took fifteen months for a credential spill to become public knowledge.
This window of time is directly related to the cost of a spill - The longer it takes to discover a compromise, the more time attackers have to monetize account takeovers.