Billions of email and password combinations are readily available online for cybercriminals to exploit, and poor password security is resulting in costly losses for businesses.

Research commissioned by cloud service provider Akamai has found that businesses are losing $4m on average each year due to credential stuffing attacks.

Credential stuffing is an untargeted form of account takeover in which cybercriminals make use of stolen data sets to gain unauthorised access to user accounts. Bots are used to test large amounts of credentials to find accounts where the owner has used the same login credentials across multiple services, or failed to change their password following a breach.

According to the research, carried out by Ponemon Institute, businesses have noticed an increase in the volume and severity of such attacks. Businesses reported that they were hit by 11 credential stuffing attacks annually on average, with more than 1,000 accounts targeted each time.

If an account is successfully breached, cybercriminals can begin using the account to make fraudulent purchases or gather more information on its owner.

Akamai revealed in February that hackers were using a similar technique to muscle in on the fast-growing fashion resale market by using aged accounts to buy up limited edition or low stock products, for example.

The cost of these attacks is adding up for businesses. Estimated losses due to application downtime, loss of customers and increased IT security following a cyberattack are estimated at $1.2m, $1.6m and $1.2m respectively.

Businesses struggling to deal with credential stuffing

“We’re used to the idea that lists of stolen user IDs and passwords are being spilled across the dark web,” Jay Coley, Senior Director of Security Planning and Strategy for Akamai Technologies, said. “But the continued rise in credential stuffing attacks shows that the danger is almost unlimited.”

This rise can be attributed to botnets –  a network of infected devices which are abused by hackers to carry out cybercriminal activities, such as sending spam emails or conducting denial-of-service attacks (DDoS) – according to Coley:

“Cybercriminals are increasingly using botnets to validate those lists against other organisations’ login pages, widening the impact of a hack.”

Akaimai’s Credential Stuffing Attacks Report found evidence of botnets being used to carry out credential stuffing in a way that appears genuine to businesses. To carry out ‘Low & Slow’ attacks, hackers will throttle botnet traffic to avoid alerting organisations to their presence, while increasing attempts during peak hours.

This is making credential stuffing attempts increasingly difficult for organisations to deal with. Some 88% admit that they have difficulty telling real users from cybercriminals and bot traffic, while just 36% believe that they are quick to detect and deal with resulting attacks.

3 Things That Will Change the World Today

Spending on cybersecurity to save on security breaches

Coley believes tools that go beyond checking that username and password combinations match, which consider factors such as the key-press patterns, mouse movements and device orientation, could help businesses to avoid the multi-million dollar losses that occur each year as a result of credential stuffing attempts.

“The best way to beat a bot is to treat them for what they are: non-human,” Coley said. “This is why companies need bot management tools to monitor their behaviour and distinguish bots from genuine log-in attempts.”


Read more: Cryptomining almost ‘extinct’ but business ransomware attacks rocket 500%