2018 Credential Spill Report

Key Findings

Over 2.3 Billion usernames and passwords were reported spilled from 51 organizations in 2017.
US consumer banking industry faces $50 million per day in potential losses from credential stuffing attacks.
Fifteen months for a credential spill to become public knowledge.

Fill out the form to get the report

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Policy.
Shape SPM Dashboard

Proportion of Login Traffic that is Credential Stuffing Attacks by Industry (Global)

Retailers face relentless credential stuffing attacks, typically comprising 80-90 percent of their traffic. In fact, one luxury retailer experienced 99 percent attack traffic on their login page in 2017. Credential stuffing against retail web properties is very lucrative for cybercriminals for two key reasons.

First, retail websites are designed to cause as little friction as possible for customers. Due to the emphasis onuser experience, retailers are reluctant to impose any security measure that could lead a customer to abandon their cart, whether it be two-factor authentication or email confirmations required for account changes.

Second, credential stuffing attackers have benefited from the rise in omnichannel services. One of the biggest opportunities for fraud is the gap between online and offline retail created by omnichannel services. Fraudsters can use hijacked online accounts to more easily monetize previously stolen merchandise from physical storefronts, as well as purchase merchandise online which they then monetize in stores.

Peek inside the report

Protect Your Online Business Today

Get Protected by Shape

Try Shape