Credential-stuffers enjoy up to 2% attack success rate – report

Hackers achieve a success rate of 0.1 to 2 per cent when reusing stolen credentials to access other sites, according to a new study by Shape Security.

More than three billion credentials were reported stolen worldwide in 2016, with 51 companies admitting a breach. These stolen credentials are routinely abused by cybercriminals in attempts to hijack accounts on other sites, a tactic that only works because consumers often reuse the same password and login ID combination on multiple sites.

A major retailer (which later became a Shape customer) experienced a large-scale credential-stuffing attack with more than 10,000 total login attempts over one day, using the most popular credential-stuffing attack tool, Sentry MBA.

"Shape has identified millions of instances of credentials from reported breaches being used in credential-stuffing attacks on other websites, with up to a 2 per cent success rate in taking over accounts on systems that did not report public data breaches," the firm said. "As a result, automated fraud losses from credential stuffing is in the billions of dollars worldwide, based on the value of accounts taken over. The most commonly targeted account systems include bank accounts, retail gift card accounts, and airline and hotel loyalty programmes."

Yahoo!, which reported two separate spills in 2016, leaked the greatest number of login credentials, followed by FriendFinder, MySpace, Badoo and LinkedIn. Tech companies spilled the most credentials (1.75 billion) but the gaming industry was the sector that witnessed the largest number of breaches.

In response to the abuse of compromised user credentials, the National Institute of Standards and Technology last month recommended that online account systems check their users' passwords against known spilled credential lists, a practice already followed by companies such as Facebook and others. The proposed checks are included in Draft NIST Special Publication 800-63B Digital Identity Guidelines. If the password chosen by a user appears on the spilled credential lists, NIST recommends that the user be informed that they should choose another since their chosen phrase has been compromised. ®