90% of login attempts on ecommerce sites come from hackers

Shape Security has released a report on credential spills for 2018, which states that 80% to 90% of all traffic to ecommerce sites come from hackers attempting credential-stuffing attacks.

Credential stuffing is where an attacker uses usernames and passwords obtained in leaks or breaches to take over people’s online accounts. A program is used to automatically try pairs of usernames and passwords through websites or mobile apps.

On average, 90% of all login attempts at ecommerce sites are credential-stuffing attacks. Around 60% of attempts at airlines and consumer banks are attacks, while 44% of attempts hotels see are attempts to take over accounts.

The average credential-stuffing success rate at retailers is 0.5%.

According to the report, there is also a significant delay between when a credential spill is discovered and when it is reported.

“Half of all credential spills were discovered and reported within the first four months of the compromise,” said Shape Security.

“However, because some spills take years to discover, it took an average of 15 months between the day that an attacker accessed the credentials to the day the spill was reported, in 2017.”

This period matters as the length of time between the day credentials are stolen, and the day spills finally public, increases the cost and negative consequences of the spill.

Shape Security 2018 credential stuffing attack percentages

Now read: Liberty hackers go silent after big threats

Latest news

Partner Content

Show comments


Share this article
90% of login attempts on ecommerce sites come from hackers