10 Billion Credential Stuffing Attempts in H2 2018: Report

10 Billion Credential Stuffing Attempts in H2 2018: Report

February 28, 2019

Between May and December 2018, hackers tried to illegally log into e-commerce accounts more than 10 billion times, which made retail the most targeted segment according to a new study.

E-commerce retailers from jewelry to department stores to fashion have been targeted by credential stuffing attacks where hackers use botnets to systematically try to login to online accounts with stolen credentials. The Akamai 2019 State of the Internet/Security: Retail Attacks and API Traffic Report found that hackers were able to target more than 120 retailers at once using multi-functional bots.

Because so many consumers use the same login credentials across multiple accounts, bad actors were able to compromise many retail accounts. In addition to retail sites, the report found that media and entertainment properties were also victims of credential abuse along with a significant number of financial services, hotel and travel, and consumer goods sites.

“The techniques change, but the motivation remains the same: greed,” said Martin McKeay, security researcher and editorial director of the report. “Retailers remain on the front lines, because stolen merchandise sells quickly and at a premium. And for that reason, the data shows which merchandise is of the highest value: Apparel sites are targeted the most.”

Unfortunately, it is possible for a bot campaign to completely evade detection so that a retailer, “might see the online sales and record-setting transactions as proof its product is in demand. They’ll have little to no indication that its inventory clearing was automated and used to fuel a secondary-market or scrape information from its customers,” the report said.


Identifying Credential Stuffing for Account Takeovers

  • Share this Article:
Kacy Zurkus