Over 90% of Login Traffic to E-Commerce Websites Comes from Credential Stuffing

Martin Rodgers

Among the nefarious dealings that take place on the dark web, selling stolen personal data is big business for hackers. Cybercriminals particularly look for information that they can use to try to login to websites. Identity theft, money siphoning, ransomware typically follow if they are successful.

Now a report by a cybersecurity firm called Shape Security has revealed the habits of hackers that engage in such attacks. Using a process known as credential stuffing, hackers use software to apply stolen credentials in order to access user accounts. Basically, they harvest usernames and passwords from data breaches and test them on every website and mobile app imaginable.

The Volume of Attacks is Horrifying

The size of these attempts will shock you. The report found that over 90% of login traffic to e-commerce website comes from these attacks. Second was the airline industry, at 60%, followed closely by banking, 58%, and hotels in fourth place with 44%.

Last year alone accounted for 51 breaches, which combined compromised 2.3 billion credentials.

The Outcome

These attacks are successful as often as 3% of the time, which ends up costing the e-commerce sector about $6 billion a year. The consumer banking industry loses about $1.7 billion annually. Hotel and airline lose a combined $700 million every year.

The response is typically very slow too. On average, it takes 15 months for an intrusion to be detected.

Web forums accounted for the highest number of breaches (13), followed by online services (11), and social media (7). Gaming and Retailed tied at 4 breaches each.

Hackers as Scavengers

Typically, hackers gather credentials from small, less secure sites and use the data to access high-value services. Community banks top the chart when it comes to the frequency of attacks: the sector is attacked more than 200 million times each day.

Buying merchandise that can easily be resold is another way that hackers use to turn data into cash. Drolly, expensive, $200-per-pound cheese is also a coveted target: hackers break into online grocery accounts, purchase the high-priced dairy product and resell it to restaurants.

Frequent flyer miles are legal tender too. Criminals sell award points from hotels and airlines to specialist brokers. These specialists then sell them to online travel agencies that use them to sell discounted tickets for business class and first class airfares. So the next time you purchase discounted tickets, remember that there is a chance that they have been subsidized by an unsuspecting netizen.

Martin Rodgers
Martin Rodgers

Martin is an avid internet and digital privacy advocate. When he's not writing for VPN Review, he can be found dissecting any VPN app or service he can get his hands on.


Leave a Reply