Web forums were the greatest targets for credential spills during 2017, which saw more than 2.3 billion credentials from 51 different organizations reportedly stolen, according to a new report from Shape Security. Of those 51 different organizations, companies providing online services contributed the largest number of compromised credentials, with over 2 billion credential spills. In total, the criminal enterprise is costing US businesses over $5bn a year.
The report, released today, studied the life cycle of stolen credentials, taking a holistic, behind-the-scenes look at the extent to which credentials can be monetized and weaponized long after a breach occurs. Because web forums serve as hyper-specialized communities of online users, they tend to have lower membership and thus a smaller collection of credentials. “However, they are easy targets for credential spills because many are volunteer-run and lack a corporate security or IT function," the report stated. While web forums were found to be the most frequently targeted, they are not actually the source of the greatest number of spills.
“Social media sites were typically responsible for the largest spills. This makes sense because those organizations rely on a network effect to succeed, so they are likely to have the largest user bases,” the report said.
While the report found the frequency of credential spills remained consistent for two years, the average size of spills in 2017 was lower than in 2016. “Additionally, over the course of two years, spills have been reported on a very regular basis; in 2017, the longest gap between reports was 31 days,” it said.
On average, there’s a 15-month window between credentials being compromised and the breach, during which time criminals carry out their most damaging credential stuffing attacks. Credential stuffing attacks make up from 58% to 90% of login traffic, depending on the industry. According to the report, the US consumer banking industry suffers almost $50m potential losses each day due to credential stuffing attacks.
In the banking industry alone, credential stuffing attacks cost an average of $1.7bn annually. In the e-commerce industry, the average cost jumped to $6bn annually. Over time, though, the value of the stolen credentials decreases. As more people have access to those credentials, they fall out of favor for criminals.