Shape Security has released a report on credential spills for 2018, which states that 80% to 90% of all traffic to ecommerce sites come from hackers attempting credential-stuffing attacks.
Credential stuffing is where an attacker uses usernames and passwords obtained in leaks or breaches to take over people’s online accounts. A program is used to automatically try pairs of usernames and passwords through websites or mobile apps.
On average, 90% of all login attempts at ecommerce sites are credential-stuffing attacks. Around 60% of attempts at airlines and consumer banks are attacks, while 44% of attempts hotels see are attempts to take over accounts.
The average credential-stuffing success rate at retailers is 0.5%.
According to the report, there is also a significant delay between when a credential spill is discovered and when it is reported.
“Half of all credential spills were discovered and reported within the first four months of the compromise,” said Shape Security.
“However, because some spills take years to discover, it took an average of 15 months between the day that an attacker accessed the credentials to the day the spill was reported, in 2017.”
This period matters as the length of time between the day credentials are stolen, and the day spills finally public, increases the cost and negative consequences of the spill.