In 2017, some 2.3 billion account credentials were stolen because of 51 independent credential spill incidents, according to Shape Security‘s second annual Credential Spill Report. The main industries affected were consumer banking, retail, airline, and hospitality, which were primarily attacked via credential stuffing and account takeovers, according to Shape Security’s press release.

Credentials are often spilled through data breaches or personal attacks on users, in which cybercriminals obtain the credentials and use them on a wide array of websites and mobile apps, explained the press release.

Credential stuffing are large scale cyberattacks where criminals use stolen credentials over a mass amount of logins. These attacks are often successful because of users reusing passwords, said the release, which is no surprise, as 25% of employees use the same passwords for every account. Attackers then use the information to commit various fraudulent actions, from unauthorized bank transfers to online purchases.

SEE: IT leader’s guide to cyberattack recovery (Tech Pro Research)

“Credential stuffing has become an increasingly popular attack vector powering a robust and complex criminal ecosystem,” said Shuman Ghosemajumder, CTO of Shape Security, in the press release. “What most people don’t realize is the domino effect of damage that a single breach is capable of producing. To fight back, organizations have started banding together to build a collective defense to be alerted when credentials stolen from one breach are being used to log in to another, effectively blocking attackers attempting to access their platforms with compromised credentials.”

An average of 15 months passed between the day credentials were stolen and the day the incident was realized and reported by an organization, said the release. With this substantial amount of time, cybercriminals can carry out a slew of attacks. Roughly 1 million credentials were exposed to criminals every day in 2017, said the report.

VBulletin vulnerabilities, misconfigured databases or servers, and malware and phishing campaigns were the other top causes of credential spills in 2017, said the press release. Shape Security even estimates an average of 232.2 million malicious login attempts per day with a .05% success rate.

The big takeaways for tech leaders:

  • Some 2.3 billion account credentials were compromised because of 51 credential spill incidents in 2017 — Shape Security, 2018.
  • Businesses can protect themselves by creating a collective defense to be alerted about stolen credentials as quickly as possible — Shape Security, 2018.