A total of 28 billion credential-stuffing attempts were made globally between May and December 2018. This works out to more than 115 million attempts to compromise or log into user accounts every single day, according to a report by Akamai Technologies, which provides cloud services for delivering, optimising, and securing content and business applications over the internet.
Under credential stuffing, stolen login information from one account is used to enter other accounts through automated login, says TechTarget.com.
Retail took the top spot on the list of hardest-hit industries, with 10 billion credential-stuffing attempts directed towards it, globally, said the report.
The report stated that, under credential stuffing, hackers use all-in-one (AIO) bots, which can make quick purchases of a product listed on a retail site they are targeting. These bots are especially useful in flash sales and limited-edition purchases. A single AIO bot can target close to 120 retailers at once.
Apart from retail, the media and entertainment industry is a notable victim of credential stuffing, said the report. The value proposition of the media and entertainment sites is only the personal information that they possess on individuals, such as credit card information given to streaming services on purchase of content. Such data holds considerable value in the black market.
Akamai also said there was significant credential-stuffing abuse of FMCG (fast-moving consumer goods), BFSI (banking, financial services and insurance) and travel and hospitality segments. “The techniques change, but the motivation remains the same: greed,” said Martin McKeay, Akamai security researcher and editorial director of the report.