Credential‑stuffing attacks behind 30 billion login attempts in 2018

Streaming media feature among services that take the spotlight in a report on credential-stuffing attacks in 2018

Streaming media feature among services that take the spotlight in a report on credential-stuffing attacks in 2018

Hackers made 30 billion attempts last year that involved testing out purloined or leaked login details en masse in a bid to invade other people’s online accounts, reads a report by content delivery network provider Akamai.

In automated attacks called ‘credential stuffing’, miscreants leverage bots for login attempts that rely on stolen or spilled access credentials that belong to one account in order to break into other accounts, and hammer the sites with login attempts until they hit on the right combination. As vast dossiers of username/password combinations are readily available and many people recycle their login details across multiple sites, this problem clearly isn’t going away.

Rather the contrary, as Akamai said last year that 43 percent of all login requests globally were malicious. Worryingly, these attempts were found to pay dividends in anywhere between 0.1% and 2% of attempts. If successful, the attacker is able not only to take over the account, but also to steal its owner’s personal data for identity theft and fraudulent transactions, as well as leverage the online account for spam campaigns, among other nefarious actions.

The new report, entitled The 2019 State of the Internet / Security: Credential Stuffing: Attacks and Economies – Special Media Report, notes that there are a number of step-by-step tutorials on sites such as YouTube that walk the viewer through creating such compilation lists themselves and unleashing their own credential-stuffing attacks. One particular video detailing how to validate credentials using just one out of scores of ‘checker programs’ has amassed tens of thousands of views.

The United States, Russia and Canada were found to be the top countries of origin for the attacks. The US and Canada also ranked first and third in the list of top targets, with India ‘sandwiched’ between them.

Hot stuff

One sector that has to contend with billions of credential-stuffing attempts annually is media and entertainment services. “Hackers are very attracted to the high profile and value of online streaming services,” Akamai’s Director of Security Technology and Strategy Patrick Sullivan is quoted as saying.

In aggregate, media, gaming and entertainment companies saw 11.6 billion such attacks between May and December 2018 alone. There were several peaks with up to 200 million attacks against sites in the video media sector alone, with Akamai arguing that the holders of username/password compilation lists “may have been testing the credentials before they were to be sold”.

Meanwhile, similarly as with an earlier edition of Akamai’s report, the overall figures may understate the extent of the problem in industries in which email addresses are not used as user IDs, notably the financial industry.

Earlier this year, we reported on the discoveries of five caches of login credentials that were floating around the internet and between them contained 2.2 billion purloined login details.

Simple ways to stay safe from account-takeover attacks include utilizing a complex and unique password or passphrase for each of your online accounts, together with enabling two-factor authentication.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center