Credential stuffing attacks are costing businesses an average of $4 million a year

Cybercriminals are applying credential stuffing, which plays on the likelihood that individuals will use the same username and password across applications, sites and services, are responsible for 11 credential stuffing attacks every month.

Each attack targets an average of 1,041 user accounts, and costs an average of $4 million. This breaks down:

  • costly application downtime – $1.2 million
  • loss of customers – $1.6 million
  • and involvement of IT security – $1.2 million

Credential stuffing occurs as cybercriminals take stolen account details from one platform and deploy bots to log into vast numbers of others using the same credentials. Once they have gained entry, criminals will abuse an account until its owners become aware, often making fraudulent purchases or stealing confidential information.

Are IT executives in control of password security in their organisations?

According to a new study, 75% of IT executives lack control over password security within their organisations

The report also found that that businesses are struggling to identify false log-in attempts by bots, with the majority (88%) of respondents agreeing it is difficult to tell real employees and customers from criminal intruders.

Jay Coley: “The danger is almost unlimited”

“We’re used to the idea that lists of stolen user IDs and passwords are being spilled across the dark web,” said Jay Coley Senior Director – Security Planning and Strategy Akamai Technologies. “But the continued rise in credential stuffing attacks shows that the danger is almost unlimited. Cybercriminals are increasingly using botnets to validate those lists against other organisations’ login pages, widening the impact of a hack. It’s clear that companies have a responsibility to get ahead of this practice to protect their customers and employees – but they also need to protect their own bottom line.”

The research also found that only 35%  of companies say they have good visibility into credential stuffing attacks and only 36% believe attacks against their websites are quickly detected and remediated (36%).

High number of entry points

The research revealed that companies have an average of 26.5 customer-facing websites in production, providing a high number of entry points for bots to break in. This is further complicated by the need for companies to provide login access for different types of clients, including customers on a desktop or laptop (87%), mobile web browsers (65%), third parties (40%) and mobile app users (36%).

Coley continued: “Modern websites are sprawling entities that can comprise hundreds or thousands of web pages and support many different types of clients and traffic. Companies understanding their website architecture and how clients flow from different pages to their login endpoints is essential to successfully mitigating credential stuffing attacks — and keeping costs under control.”

Identifying real employees and customers from criminal intruders

No less than  88% of respondents agreed that it is difficult to tell real employees and customers from criminal intruders. This challenge is not being helped by a lack of clear ownership in the business, with 37% of respondents saying no one function is leading on the identification and prevention of credential stuffing attacks.

Coley concluded: “The best way to beat a bot is to treat them for what they are: non-human. Most behave nothing like real people but their methods are becoming more sophisticated. This is why companies need bot management tools to monitor their behaviours and distinguish bots from genuine log-in attempts. Instead of standard log-in systems which just check whether a username and password match, they need to look at key-press patterns, mouse movements and even the orientation of a mobile device. With the potential cost running into the millions, the urgency to identify and put the breaks on these bots has never been greater.”

Avatar photo

Michael Baxter

.Michael Baxter is a tech, economic and investment journalist. He has written four books, including iDisrupted and Living in the age of the jerk. He is the editor of and the host of the ESG...

Related Topics

Cyber Attacks