Inside look at lifecycle of stolen credentials and extent of data breach damage

Shape Security released its Credential Spill Report, shedding light on the extent to which the consumer banking, retail, airline and hospitality industries are impacted by credential stuffing attacks and account takeover. The report analyzes attacks that took place in 2017 and reveals 2.3 billion account credentials were compromised as a result of 51 independent credential spill incidents.

Credential stuffing collectively costs U.S. businesses over $5 billion a year. When usernames and passwords are exposed, or “spilled,” through a data breach or attack on users, criminals harvest these credentials and test them on a wide range of websites and mobile applications.

There is up to a three percent success rate for account takeover from credential stuffing attacks because the majority of the population reuses passwords. The attackers then drain those accounts of value to commit all types of fraud, from unauthorized bank transfers to illicit online purchases.

Shape Security’s report found that an average of 15 months elapsed between the day credentials were compromised and the day the spill was reported by an organization. This is the most dangerous window of time as criminals carry out credential stuffing attacks using credentials that have not yet been identified as compromised, meaning companies have no way of knowing which uses are at risk. The longer an attack group can conceal the stolen credentials, the more value they can extract by weaponizing the credentials against a range of other organizations.

“Credential stuffing has become an increasingly popular attack vector powering a robust and complex criminal ecosystem,” said Shuman Ghosemajumder, CTO, Shape Security. “Data breaches have become pervasive over the last few years, but what most people don’t realize is the domino effect of damage that a single breach is capable of producing. To fight back, organizations have started banding together to build a collective defense to be alerted when credentials stolen from one breach are being used to log in to another, effectively blocking attackers attempting to access their platforms with compromised credentials.”

Additional 2018 Credential Spill Report findings

On average, nearly 1 million credentials were exposed to criminals every day of 2017 (excluding Yahoo!, which represented the largest credential spill incident of 2017 when it reported an additional 2 billion credentials compromised from its previously reported 2013 breach). That’s the equivalent of every San Francisco resident having one of their online accounts exposed every single day.

The number and frequency of spills has remained remarkably consistent from 2016 to 2017. In 2016, there were 52 reported spills; in 2017, there were 51. Over the course of two years, there was never more than a seven-week gap between two reported spills.

Researchers observed five different attack groups performing credential stuffing attacks on a top-5 U.S. bank’s mobile app over the course of two weeks. In total, the attackers targeted 363,000 bank accounts, or approximately 4,000 accounts per day.

The U.S. consumer banking industry loses up to $1.7 billion annually as a result of credential stuffing. Based on its research, Shape Security estimates an average of 232.2 million malicious login attempts per day with a 0.05 percent success rate, meaning 116,106 successful account takeover attacks every day with an average of $400 stolen from an individual account.

Credential stuffing attacks account for 80-90 percent of a retailer’s login traffic. One luxury retailer experienced 99 percent attack traffic on their login page in 2017.

VBulletin vulnerabilities, misconfigured databases or servers, and malware and phishing campaigns were the top causes for credential spills in 2017 (in that order).