All industries are at risk of credential stuffing and account takeover (ATO) attacks. However, some industries are at a greater risk because of the sensitive information or volume of customer data they possess.
While cyber-attacks come in all forms and techniques, credential stuffing involves an interconnected network where cyber criminals access critical customer information from one site and then go on to launch account takeover (ATO) attacks on different sites by stuffing information into login fields and password retrieval forms.
Account takeover and fraud can directly result from successful credential stuffing attempts. The news of such attacks is growing each day and is slowly becoming a menace for businesses across the globe.
Some notable incidents include:
- PetSmart attack attempt.
- DunkinDonuts ATO attack.
- Norton, where over 925,000 people were targeted and over 6,500 customers had their data compromised.
- DraftKings ATO attack, where over 60,000 betting accounts were compromised via a credential-stuffing attack.
The most infamous credential-stuffing attack was reported by Akamai Technologies, where over 30 billion credential-stuffing attempts were recorded across their services and systems.
Given that many users reuse passwords across multiple accounts, some degree of success in accessing accounts through credential stuffing is inevitable. According to the Cost of Credential Stuffing report by the Ponemon Institute, businesses incur an average annual loss of $6 million due to credential stuffing, stemming from factors like application downtime, customer attrition, heightened IT expenses, and other related causes.
Hence, here are the top 4 industries that are at a greater risk than others.
1. Retail & E-commerce
In the retail and e-commerce sectors, accounts are seamlessly linked to products and services, making it unsurprising that it ranks atop the ATO threat list. In addition to a broad threat surface, electronic gift cards provide bad actors with a means to access information, transfer value, and extract funds swiftly. Due to the significant value associated with these accounts, retail, and e-commerce experience the highest volume of malicious attacks, with over 80% of login attempts raising suspicion.
American retail giant Hot Topic, a brand that specializes in couture culture and accessories, stated that countless cyber attacks in the form of credential stuffing were perpetrated against it between February – June 2023.
The information exposed includes:
- Names
- Email addresses
- DOBs
- Shipping addresses
- Saved payment card details
2. Financial Services (FinServ)
Financial services and banking institutions oversee trillions of dollars, rendering them prime targets for credential stuffing and ATO. According to a recent report by Accenture, credential theft poses a pervasive and severe threat, especially within the financial services sector.
A US credit union detailed a week-long onslaught of automated credential stuffing that severely disrupted their systems. During lunchtime, the credit union typically experiences heightened traffic, with login attempts peaking at 45,000 per hour. P2P payment portal PayPal experienced a similar attack in 2022, which compromised the data of thousands of users. On December 20, 2022, PayPal completed its investigation, affirming that unauthorized third parties gained access to its accounts. As per PayPal’s data breach report, the incident affected 34,942 users.
3. Healthcare
The healthcare sector faces persistent threats of credential stuffing and ATO, particularly as medical devices become more interconnected. Apart from billing information, hackers also target valuable medical records of individual patients, which fetch high prices on the dark web. Such data breaches can lead to identity theft or credit card fraud. Moreover, stolen health insurance details may enable individuals to fraudulently obtain medical or dental services for free.
United HealthCare (UHC) suffered a breach due to a credential stuffing attack across its mobile application. The compromised accounts included details such as names, health insurance ID numbers, claim specifics, and group identifiers. UHC promptly took its portal offline upon detection of the attacks to prevent further unauthorized access and implemented a password reset procedure. Affected individuals were offered complimentary credit protection services for 2 years.
4. Higher Education
Higher education institutions are prime targets due to their wealth of data. This includes extensive financial aid information on students, grants, employee tax records, and various other financial assets.
In the recent past, a coordinated cyberattack orchestrated by nine Iranian hackers targeted over 300 universities worldwide. Official reports indicated that this attack resulted in the exposure of 31 terabytes of valuable intellectual property and data.
Adding to the complexity, students frequently lack the experience and discernment to identify phishing schemes. To cater to the needs of students, staff, and researchers, many universities and colleges rely on accessible systems, which presents a challenge for higher education institutions.
The National Institute of Standards and Technology (NIST) has recently released guidelines recommending that all organizations implement screening measures for compromised credentials during their login processes.
Maximize Your Security Posture
NIST CSF 2.0 & Wallarm’s Dashboard Unveiled
Wallarm is conducting a webinar to help you “Maximize Your Security Posture – NIST CSF 2.0 & Wallarm’s Dashboard Unveiled.”
The webinar delves into the specifics provided by the recent NIST CSF 2.0 release, and how Wallarm’s new and improved NIST 2.0 dashboard aligns with these guidelines to provide enhanced visibility, identify security gaps, and offer tailored implementation safeguards.
The webinar is free to attend. Reserve your spot here
For more information about credential stuffing, ATO attacks, and other cybersecurity news, check out our blog: https://lab.wallarm.com/