July 20, 2018
Somewhere on the dark web, your email address and a few passwords are probably for sale. Cyber criminals are buying a treasure trove of data to try to login to websites (like yours), where they hope to grab anything from cash, to airline points, to expensive cheese. Yes, cheese, a report by Quartz reveals.
Indeed, key findings of the second annual Credential Spill Report compiled by Shape Security indicate that over 2.3 billion usernames and passwords were reported “spilled” by 51 organization during 2017, alone.
Online retailers are targeted for most of the attacks, the cybersecurity firm says. Hackers use programs to apply stolen data in a flood of login attempts, called “credential stuffing.” These days, more than 90% of e-commerce sites’ global login traffic comes from these attacks.
There also have been a barrage of attacks on the airline and consumer banking sectors, with about 60% of login attempts coming from criminals, Quartz notes.
These attacks are successful as often as 3% of the time, and the costs quickly add up for businesses, Shape says. This type of fraud costs the e-commerce sector about $6 billion a year, while the consumer banking industry loses out on about $1.7 billion annually. The hotel and airline businesses are also major targets—the theft of loyalty points is a thing—costing a combined $700 million every year.
The experts warn, by the time you hear about a hacker intrusion, it’s usually too late: On average, it takes 15 months from the day credential data is stolen to the day an intrusion is revealed. That’s more than enough time for criminals to deploy the data of unsuspecting people in thousands of credential stuffing attacks.
Research contact: firstname.lastname@example.org