It is no surprise that stolen data is a valuable resource. Through buying account details or extracting them from hacked databases, attackers perform what is called credential stuffing attacks. Due to these attacks, over 90% of login attempts performed towards online retailers are now malicious, with losses near $6 billion as a direct result.
Stolen data means big business
Personal data equals big business for hackers: Information such as credit card details, your address or login credentials could be for sale online as we speak. The latter has lead to online retailers being hit tremendously hard as hackers attempt to login to different pages in order to grab valuable products. Therefore, a cheap account may lead to massive profits for the attacker.
Brute-force login attacks, dubbed credential stuffing, are the reason for more than 90% of e-commerce pages login attempts being malicious. Similarly, airline and consumer banking report 60% of login attempts as malicious, a report by cyber security firm Shape Security reveals.
Credential stuffing explained
A credential stuffing attack is simple in nature: First of, an attacker purchases a large list of accounts or retrieves them from a hacked database. Afterwards, through an automated script, the username and password combination is tested on a multitude of different webpages and services.
Once access to an account has been gained the hacker looks for more valuable information or services to steal. These include frequent flier miles, cash through banking accounts or simply different merchandise.
Credential stuffing attacks are successful around 3% of the time as reported by Shape Security. While the percentage may seem small, due to how often these types of attacks occur, it results in massive losses: A reported $6 billion a year is lost by the e-commerce sector while the consumer banking industry loses out on €1.7 billion each year.
How do you protect yourself?
How do you protect yourself as a user? The main method of prevention is to not re-use passwords between different platforms and services. A password manager could prove useful, as you don’t have to remember your unique passwords yourself.