Credential Theft Attacks Doubled Between 2016 and 2020

  • The range of attacks ensuing in large-scale credential theft has almost doubled over the past 4 many years, though the quantity of breached login pairs declined, in accordance to F5.

    The security vendor’s 2021 Credential Stuffing Report warned that whilst typical breach volumes declined from 63 million information in 2016 to 17 million in 2020, very poor security practice is driving downstream risk publicity.

    Maybe unsurprisingly, plaintext storage of passwords was responsible for by significantly the finest range of spilled credentials (43%), followed by unsalted SHA-1 hashed passwords (20%), though discredited hashing algorithm MD5 even now remains astonishingly typical.

    Companies are also lousy at detecting breach attempts: median time to finding a credential spill concerning 2018 and 2020 was 120 times, though the ordinary time to discovery was 327 times.

    This matters, for the reason that the moment credentials are in the hands of cyber-criminals, they can use them to crack open up client accounts across the web.

    An Akamai report from 2020 claimed that more than 60% of the 100 billion credential stuffing assaults detected around the previous two decades have been qualified at retail, travel and hospitality organizations, with retail accounting for more than 90% of these.

    A independent report from the seller from 2019 estimated that credential stuffing assaults price tag EMEA businesses on regular $4m each year through application downtime ($1.2m), lost customers ($1.6m) and IT security time beyond regulation ($1.2m), as nicely as the charge of comply with-on fraud.

    “Credential spills are like an oil spill: when leaked, they are incredibly difficult to clean up mainly because credentials do not get improved by unassuming individuals, and credential stuffing remedies are however to be widely adopted by enterprises,” mentioned Sara Boddy, senior director of F5 Lab.

    “It is not stunning that in the course of this time period of research, we saw a shift in the amount 1 attack variety from HTTP attacks to credential stuffing. This attack kind has a lengthy-expression impression on the security of programs and is not likely to alter any time soon.”

    F5 also warned that attackers are progressively applying “fuzzing” approaches to improve credential exploit results by checking variants of a stolen password as nicely as the first.