The number of attacks resulting in large-scale credential theft has almost doubled over the past four years, although the volume of breached login pairs declined, according to F5.
The security vendor’s 2021 Credential Stuffing Report warned that although average breach volumes declined from 63 million records in 2016 to 17 million in 2020, poor security practice is driving downstream risk exposure.
Perhaps unsurprisingly, plaintext storage of passwords was responsible for by far the greatest number of spilled credentials (43%), followed by unsalted SHA-1 hashed passwords (20%), while discredited hashing algorithm MD5 still remains surprisingly common.
Organizations are also poor at detecting breach attempts: median time to discovering a credential spill between 2018 and 2020 was 120 days, while the average time to discovery was 327 days.
This matters, because once credentials are in the hands of cyber-criminals, they can use them to crack open consumer accounts across the web.
An Akamai report from 2020 claimed that over 60% of the 100 billion credential stuffing attacks detected over the previous two years were targeted at retail, travel and hospitality businesses, with retail accounting for over 90% of these.
A separate report from the vendor from 2019 estimated that credential stuffing attacks cost EMEA organizations on average $4m each year through application downtime ($1.2m), lost customers ($1.6m) and IT security overtime ($1.2m), as well as the cost of follow-on fraud.
“Credential spills are like an oil spill: once leaked, they are very hard to clean up because credentials do not get changed by unassuming consumers, and credential stuffing solutions are yet to be widely adopted by enterprises,” said Sara Boddy, senior director of F5 Lab.
“It is not surprising that during this period of research, we saw a shift in the number one attack type from HTTP attacks to credential stuffing. This attack type has a long-term impact on the security of applications and is not going to change any time soon.”
F5 also warned that attackers are increasingly using “fuzzing” techniques to optimize credential exploit success by checking variants of a stolen password as well as the original.