Key Findings from the 2018 Credential Spill Report

Credential Stuffing attacks leverage usernames and passwords from data breaches on other sites

In 2016 we saw the world come to grips with the fact that data breaches are almost a matter of when, not if, as some of the world’s largest companies announced spills of incredible magnitude. In 2017 and 2018, we started to see regulatory agencies make it clear that companies need to proactively protect users from attacks fueled by these breaches as they show little sign of slowing.

In the time between Shape’s inaugural 2017 Credential Spill Report and now, we’ve seen a vast number of new industries roll up under the Shape umbrella and, with that, troves of new data on how different verticals are exploited by attacker — from Retail and Airlines to Consumer Banking and Hotels. Shape’s 2018 Credential Spill Report is nearly 50% larger and includes deep dives on how these spills are used by criminals and how their attacks play out. We hope that the report helps companies and individuals understand the downstream impact these breaches have. Credential stuffing is the vehicle that enables endless iterations of fraud and it is critical to have eyes on the problem as soon as possible. This is a problem that is only getting worse and attackers are becoming more advanced at a rate that is devaluing modern mitigation techniques rapidly.

Last year, over 2.3 billion credentials from 51 different organizations were reported compromised. We saw roughly the same number of spills reported each of the past 2 years, though the average size of the spill decreased slightly despite having a new record breaking announcement reported by Yahoo. Even after excluding Yahoo’s update from the measurements in 2017, we saw an average of 1 million credentials spilled every single day.

These credential spills will affect us for years and, with an average time of 15 months between a breach and the report, attackers are already well ahead of the game before companies can even react to being compromised. This window of opportunity creates strong motives for criminals, as evidenced by the e-commerce sector where 90% of login traffic comes from credential stuffing attacks. The result is that attacks are successful as often as 3% of the time and the costs can quickly add up for businesses. Online retail loses about $6 billion per year while the consumer banking industry faces over $50 million per day in potential losses from attacks.

2017 also gave us many credential spills from smaller communities — 25% of the spills recorded were from online web forums. These spills did not contribute the largest number of credentials but their presence underlines a significant and important role in how data breaches occur in the first place. Web forums frequently run on similar software stacks and often do not have IT teams dedicated to keeping that software up-to-date as a top priority. This makes it possible for one vulnerability to affect many different properties with minimal to no retooling effort. Simply keeping your software up to date is the easiest way to protect your company and services from being exploited.

As a consumer, the advice is always the same: never reuse your passwords. This may seem like an oversimplification but it is the 100% foolproof way to ensure that any credential spill doesn’t leave you open to a future credential stuffing attack. Data breaches can still affect you in different ways depending on the details of the data that was exfiltrated, but credential stuffing is the trillion dollar threat and you can sidestep it completely by ensuring every password is unique.

As a company, protecting your users against the repercussions of these breaches is becoming a greater priority. You can get a pretty good idea of whether or not you may already have a problem by monitoring the patterns of your login success rate compared to daily traffic patterns. Most companies and websites have a fairly constant percentage of login success and failures, if you see deviations that coincide with unusual traffic spikes you are likely already under attack. Of course, Shape can help you identify this traffic with greater detail but it’s important to get a handle on this problem regardless of the vendor — we all win if we disrupt criminal behavior that puts us all at risk. As part of our commitment to do this ourselves, Shape also released its first version of Blackfish, a collective defense system aimed at sharing alerts of credential stuffing attacks within Shape’s defense network for its customers. This enables companies to preemptively devalue a credential spill well before it has even been reported.

You can download Shape’s 2018 Credential Spill report here.

Please feel free to reach out to us over twitter at @shapesecurity if you have any feedback or questions about the report.


Originally published at blog.shapesecurity.com on July 30, 2018.