2.3B credentials were stolen in 2017
In 2017, some 2.3 billion account credentials were stolen because of 51 independent credential spill incidents, according to Shape Security's second annual Credential Spill Report. The main industries affected were consumer banking, retail, airline, and hospitality, which were primarily attacked via credential stuffing and account takeovers, according to Shape Security's press release.
Credential stuffing are large scale cyberattacks where criminals use stolen credentials over a mass amount of logins. These attacks are often successful because of users reusing passwords, which is no surprise, as 25% of employees use the same passwords for every account. Attackers then use the information to commit various fraudulent actions, from unauthorized bank transfers to online purchases.
"What most people don't realize is the domino effect of damage that a single breach is capable of producing. To fight back, organizations have started banding together to build a collective defense to be alerted when credentials stolen from one breach are being used to log in to another, effectively blocking attackers attempting to access their platforms with compromised credentials."
An average of 15 months passed between the day credentials were stolen and the day the incident was realized and reported by an organization, said the release. With this substantial amount of time, cybercriminals can carry out a slew of attacks. Roughly 1 million credentials were exposed to criminals every day in 2017, said the report.