2.3 Billion Account Credentials Compromised from 51 Organizations in 2017; New Research Shows Breadth of Breach Impacts

Shape Security’s 2018 Credential Spill Report provides inside look at lifecycle of stolen credentials and extent of data breach damage

MOUNTAIN VIEW, Calif., July 18, 2018 (GLOBE NEWSWIRE) — Shape Security, the provider of advanced security and fraud technology for the world’s largest companies, today released its second annual Credential Spill Report, shedding light on the extent to which the consumer banking, retail, airline and hospitality industries are impacted by credential stuffing attacks and account takeover. The report analyzes attacks that took place in 2017 and reveals 2.3 billion account credentials were compromised as a result of 51 independent credential spill incidents.

Credential stuffing collectively costs U.S. businesses over $5 billion a year. When usernames and passwords are exposed, or “spilled,” through a data breach or attack on users, criminals harvest these credentials and test them on a wide range of websites and mobile applications. There is up to a three percent success rate for account takeover from credential stuffing attacks because the majority of the population reuses passwords. The attackers then drain those accounts of value to commit all types of fraud, from unauthorized bank transfers to illicit online purchases.

Shape Security’s report found that an average of 15 months elapsed between the day credentials were compromised and the day the spill was reported by an organization. This is the most dangerous window of time as criminals carry out credential stuffing attacks using credentials that have not yet been identified as compromised, meaning companies have no way of knowing which uses are at risk. The longer an attack group can conceal the stolen credentials, the more value they can extract by weaponizing the credentials against a range of other organizations.

“Credential stuffing has become an increasingly popular attack vector powering a robust and complex criminal ecosystem,” said Shuman Ghosemajumder, CTO, Shape Security. “Data breaches have become pervasive over the last few years, but what most people don’t realize is the domino effect of damage that a single breach is capable of producing. To fight back, organizations have started banding together to build a collective defense to be alerted when credentials stolen from one breach are being used to log in to another, effectively blocking attackers attempting to access their platforms with compromised credentials.”

Additional 2018 Credential Spill Report findings:

  • On average, nearly 1 million credentials were exposed to criminals every day of 2017 (excluding Yahoo!, which represented the largest credential spill incident of 2017 when it reported an additional 2 billion credentials compromised from its previously reported 2013 breach). That’s the equivalent of every San Francisco resident having one of their online accounts exposed every single day.
     
  • The number and frequency of spills has remained remarkably consistent from 2016 to 2017. In 2016, there were 52 reported spills; in 2017, there were 51. Over the course of two years, there was never more than a seven-week gap between two reported spills. 
     
  • Shape Security observed five different attack groups performing credential stuffing attacks on a top-5 U.S. bank’s mobile app over the course of two weeks. In total, the attackers targeted 363,000 bank accounts, or approximately 4,000 accounts per day.
     
  • The U.S. consumer banking industry loses up to $1.7 billion annually as a result of credential stuffing. Based on its research, Shape Security estimates an average of 232.2 million malicious login attempts per day with a 0.05 percent success rate, meaning 116,106 successful account takeover attacks every day with an average of $400 stolen from an individual account.
     
  • Credential stuffing attacks account for 80-90 percent of a retailer’s login traffic. One luxury retailer experienced 99 percent attack traffic on their login page in 2017.
     
  • VBulletin vulnerabilities, misconfigured databases or servers, and malware and phishing campaigns were the top causes for credential spills in 2017 (in that order).

Shape Security protects over 1.6 billion online accounts from credential stuffing. Its customer base represents a large proportion of U.S. industries including 60 percent of airlines, 40 percent of hotels and 40 percent of consumer banking.

Credential Spill Report
The Shape Security 2018 Credential Spill Report is an analysis of publicly reported data combined with an aggregation of Shape’s proprietary credential stuffing data. Shape Security estimated the number of credential stuffing attacks using the total number of credential stuffing attacks observed on Shape’s U.S. customers and the total proportion of the U.S. industry Shape’s customers represent.

About Shape Security
The world’s leading financial, retail and travel companies and government agencies rely on Shape Security as their primary line of defense against cyber fraud and data breaches on their web and mobile applications. The Shape platform, covered by 55 U.S. patents, was designed to stop the most dangerous application attacks enabled by cybercriminal automation tools, including credential stuffing (account takeover), application DDoS, unauthorized aggregation, and other threats. Shape has prevented over $1 billion in fraud losses for its customers and protects more than 20% of the world’s in-store mobile payments. Shape is headed by industry leaders from Google, Cisco, IBM, Raytheon, Palo Alto Networks, and the Pentagon.

Contact Information
Press@shapesecurity.com