View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 13, 2019updated 07 Jul 2022 4:58am

Akamai: We Saw 61 Billion Credential Stuffing Attacks in 18 Months

Automated "all-in-one" credential stuffing tools are easily available

By CBR Staff Writer

As data breaches continue to proliferate, credential stuffing attacks have become rampant – and heavily automated.

A new report by Akamai today captures the scale: a mammoth 61 billion credential stuffing attempts in 18 months.

Credential stuffing is the automated injection of breached usernames/password pairs in order to gain access to accounts.

Attackers don’t even need pairs: a leaked email address and a lightweight brute force attempt to guess the password is often enough to pay dividends for an attacker, when “admin” or “password1” remain common.

With over eight billion email addresses leaked online alongside 555 million+ passwords – just the metrics captured by the “HaveIBeenPwned” database; the real figure is no doubt larger – every data breach is grist to the mill.

Credential Stuffing

Credit: Akamai

Akamai: Credential Stuffing 

In a report focussed on the tech, video media and entertainment sectors, Cambridge, Massachusetts-based Content Delivery Network (CDN) and security firm Akamai notes that the three accounted for 35 percent of credential stuffing attacks over the January 2018 – June 2019 period it tracked.

“Our analysis indicates these three verticals are a stable and consistent attack source for two reasons: personal and corporate data. The targeted brands are household names, and criminals are looking to capitalize on that familiarity.”

By now almost completely automated, credential stuffing attacks are driven by All-in-One (AIO) applications like SNIPR or STORM, it notes.

Content from our partners
European Technology Leadership: Deutsche Bank CTO Gordon Mackechnie
Print’s role in driving the environmental agenda
What finance leaders get wrong about digital transformation

“Some AIO programs are free, while others require an upfront registration fee. One of the more popular programs, SNIPR, will retail for about $20, while STORM is freely available online.”

Most AIOs also now come with pre-built evasion techniques for many default defensive measures, the company adds.

Read this: Magecart’s 7 Groups: Hackers Dropping Counter-Intelligence Code in JavaScript Skimmers

Looking more broadly at attack types against the three sectors, the security firm noted that SQL injections remained the top attack vector, accounting for more than 70 percent of attacks, followed by Local File Inclusion at 19.3 percent, Cross-Site Scripting at 3.9 percent, and PHP Injection at 3.3 percent.

Akamai adds; “Most criminals aren’t using sophisticated or specialized tools. They generally use the same legitimate programs widely available in numerous security offerings, including Metasploit and Kali Linux.

“Criminals with the skills to create bespoke tools are rarely noisy enough to show up in volume-based metrics, but they do exist.”

Read this: Microsoft Launches Public Preview of Security Key Support: Password-Free Life Creeps Closer

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy