November 15, 2018
Today Shape was recognized as the fastest-growing company in Silicon Valley and the third-fastest growing company in the U.S. by Deloitte’s Technology Fast 500™, a ranking of the 500 fastest growing technology, media, telecommunications, life sciences and energy tech companies in North America.
May 7, 2019
Shape Connect™ Provides Industry's Highest Level of Defense for Mid-market Organizations at Unrivaled Value to Defeat Fake Traffic Online
January 8, 2019
Shape Security been recognized by Fortune Magazine as one of the Top 100 companies disrupting the artificial intelligence industry.
March 11, 2019
Is that security trend hot or not? From tools and technologies to threats, tactics, and training, the numbers don't lie.
March 11, 2019
Credential stuffing uses automated scripts to try out username/password pairs to gain access to a system.
March 26, 2019
The retail industry suffered more data breach incidents than any other sector as attackers become more organized and targeted with their efforts.
February 20, 2019
Aite Group report finds that machine learning-powered cybersecurity solutions are becoming must-haves for threat detection and response.
May 7, 2019
Shape Connect™ Provides Industry's Highest Level of Defense for Mid-market Organizations at Unrivaled Value to Defeat Fake Traffic Online
November 1, 2018
Round brings Shape’s total raised to $132M, enables global expansion
January 8, 2019
Shape Security been recognized by Fortune Magazine as one of the Top 100 companies disrupting the artificial intelligence industry
December 19, 2018
Shape Security, a pioneer in bot and automated fraud mitigation, today announced that JPMorgan Chase & Co. (JPM) has inducted the company into its Hall of Innovation for its platform, which addresses automated web and mobile threats.
November 15, 2018
Today Shape was recognized as the fastest-growing company in Silicon Valley and the third-fastest growing company in the U.S. by Deloitte’s Technology Fast 500™, a ranking of the 500 fastest growing technology, media, telecommunications, life sciences and energy tech companies in North America.
BBC talks with Shape Security CTO Shuman Ghosemajumder to dig deeper into the data behind cybercrime.
“Credential stuffing attacks burden an IT, security, fraud, and customer service department in different ways.”
“Credential stuffing is when hackers fill a database with as many passwords and usernames they can find and feed them into an automated hackers’ tool that pounds away at a specified website.”
“It is statistically proven that an average of about 90% of all login attempts upon e-commerce websites are aimed at credential stuffing.”
“Selling stolen personal data is a big business for hackers. Somewhere on the dark web, your e-mail address and a few passwords are probably for sale.”
“At least 15 separate security breaches occurred at retailers from January 2017 until now. Many of them were caused by flaws in payment systems, either online or in stores.”
“At least 15 separate security breaches occurred at retailers from January 2017 until now. Many of them were caused by flaws in payment systems, either online or in stores.”
“In 2017, some 2.3 billion account credentials were stolen because of 51 independent credential spill incidents.”
“Go to your Amazon, Zappos, etc. account now and change the password to something stronger. That’s the takeaway from a cyber security firm’s report that says a whopping 91 percent of all attempts to log into e-commerce websites are from hackers.”
“Over two billion credentials were stolen in 2017 and contributed to the complex problem of credential spills, credential stuffing and account takeover fraud.”
.png)
“The criminals that go into your Amazon account and buy stuff are typically not the guys who stole your password. They're at the end of a long chain of bad guys.”
“Shape Security’s report found that an average of 15 months elapsed between the day credentials were compromised and the day the spill was reported by an organization. This is the most dangerous window of time...”
“Web forums were the greatest targets for credential spills during 2017, which saw more than 2.3 billion credentials from 51 different organizations reportedly stolen, according to a new report from Shape Security.”
“Shape Security's 2018 Credential Spill Report reveals the severity of data breaches and offers insight to the lifespan of stolen information.”
“Online retailers are hit the most by these attacks, according to a report by cyber security firm Shape Security. Hackers use programs to apply stolen data in a flood of login attempts, called credential stuffing.”
“A new study by cyber security firm Shape Security found that more than 90% of the login traffic of online retailers actually comes from hackers using stolen login data.”
“Fingerprinting is just little bits of data that lead up to something specific,” says Jarrod Overson, the director of engineering at Shape Security, a cybersecurity company. “And it gets to be problematic when those data bits end up leading to individual people.”
“GDPR’s effects will reach far beyond consumer privacy. Companies seeking to avoid the regulation’s stiff penalties will soon see—if they haven’t already—that security is the core issue.”
“When Under Armour reports that potentially tens of millions of users have had their usernames and passwords stolen, this has a much bigger long-term effect on users' security on other online accounts, due to most peoples' habits of reusing the same passwords.”
“Investing in all the traditional security in the world to prevent your website from having vulnerabilities will not help if your users’ own bad habits of reusing passwords results in cybercriminals being able to log in to your application just like those users.”
“What this creates is a data-driven defense network, which is constantly learning, constantly improving and capable of autonomously defending itself”
“Being transparent with users and enforcing good operational practices is just as important as investing in security technology.”
Shuman Ghosemajumder, CTO of Shape Security and MIT Technology Review’s Martin Giles discuss responsibilities that companies have towards protecting the sensitive personal information they hold about us.
“The economy of the Internet as a whole is suffering so that we can learn which passwords have been stolen. Because Blackfish can see all automated log-ins in real time, [it] can capture compromised usernames and passwords,” Sarah Squire says, “instead of buying them.”
“Credential stuffing only works because many users still use the same login details on multiple sites. This is a serious security risk that's only getting worse as the volume of data breaches rises.”
“New technology uses a bloom filter computer science approach to help detect potentially breached passwords, before a breach is publicly disclosed.”
“GUEST: Shuman Ghosemajumder Chief Technology Officer Shape Security Discussing the launch of Blackfish, the first system that can autonomously identify stolen passwords before the original data breach is reported or even detected.”
“Today, the company released Blackfish, a product that could help blunt the impact of stolen password caches from massive breaches like Yahoo (the mother of all breaches), Adobe and Home Depot to name but a few examples.”
“Shape Security today launched Blackfish, the first system that can autonomously identify stolen passwords before the original data breach is reported or even detected.”
“It's not the size of the stolen data dump that is important. It's the window between the date of the breach and the date of discovery that represents the biggest threat.”
“For years we’ve been educating people not to enter their personal information into sites they have never visited before to protect them from phishing,” said Shuman Ghosemajumder, chief technology officer of Shape Security. “And that’s exactly what the notification site asks people to do.”
Shape CTO Shuman Ghosemajumder on Equifax breach: "You should probably act as though your data has been compromised."
“...a profound implication for how we use SSNs throughout the country, as it is possible that as a result of this breach, the majority of adults’ SSNs are now compromised.”
"...organizations should not act out the old adage that the CISO’s primary job is to get fired when something goes wrong, in this case."
"Credential-stuffing attacks are not rare. They account for more than 90 percent of the Internet traffic to log-in pages at major services, Shape Security’s Ghosemajumder says."
"Quid looked at more than 50,000 companies and chose 50 it deemed the most promising."
"This incident has many people suggesting that everyone in the world should change all of their passwords immediately."
"Criminals are already using image recognition technology, in combination with "Captcha farms," to by-pass this security measure."
"In 2011, while serving as deputy assistant secretary of defence at the Pentagon, Shape Security co-founder Sumit Agarwal observed a rising trend in the volume and complexity of automated attacks on Web and mobile applications. "
"On most websites, users enter their email addresses in lieu of user IDs, so cybercriminals often need only to crack a victim’s password once to gain entry to several of his or her accounts."
"A study out today from Shape Security shows that it's common for credential-stuffing login attempts to account for more than 90% of all login activity on Internet-facing systems at Fortune 100 firms."
"Now consider credential stuffing. The term was coined by Shape Security co-founder Sumit Agarwal when he was serving as Deputy Assistant Secretary of Defense at the Pentagon."
"Hackers achieve a success rate of 0.1 to 2 per cent when reusing stolen credentials to access other sites, according to a new study by Shape Security."
"According to figures from Shape Security, at least 11 gaming organizations suffered credential leaks last year."
"A botnet is very efficient at testing a stolen logon at dozens of different accounts to access as many as possible."
"The real issue now is that these passwords will be used to breach thousands of other websites unrelated to Yahoo, as cybercriminals use advanced automated tools to discover where users have used those same passwords on other sites," Shuman Ghosemajumder, chief technology officer of Shape Security, told NBC News.
"The real issue now is that these passwords will be used to breach thousands of other websites unrelated to Yahoo, as cybercriminals use advanced automated tools (like Sentry MBA) to discover where users have used those same passwords on other sites, through credential stuffing attacks, the most common attacks on web applications and APIs today."
"There's no sign in a computer saying, 'Haha, we're the Russians -- we did it!'"
"People who create a really strong password for one site but then use it across others are vulnerable to attacks"
"When entities have mediocre security hygiene, they inevitably end up having lost the keys to a much larger kingdom than we originally thought,"
“Unless you have a secondary email account registered with that account, which most Yahoo users likely do not, there is no good mechanism to force a password reset without effectively locking many users out of their accounts permanently,”
"this most recent credential spill at one of the world’s largest email providers further exacerbates the risk of millions of accounts being taken over at thousands of other major websites."
"Hackers obtained more than just names and passwords in the Yahoo breach -- they also nabbed answers to security questions. Cybercriminals can use that info to conduct automated attacks called 'credential stuffing.'"
"This breach makes the job of cybercriminals that much easier"
"By understanding user behavior, many companies are learning to spot and deflect sophisticated automated attacks (including credential stuffing, content scraping or application DDoS) before companies are struck by fraud."
"Dyn’s service disruption was yet another demonstration of how attacks on various critical points on the Internet can impact millions of users, and how vulnerable those points may currently be."
"The outage on Dyn customers is yet another demonstration of how attacks on various critical points on the Internet can affect large numbers of users..."
"Internet of Things’ excitement marred by vulnerability to hacking attacks"
"Attack on company with fewer than 500 employees causes massive disruption"
"while DDoS attacks aren't a new phenomenon, some attacks have had 'unprecedented volume recently.'"
"If there are other people in the WikiLeaks organization with access to the same documents and a protocol to operate if they cannot communicate with him, there's no need for a ‘digital’ dead man's switch"
"Testing passwords against email addresses has been termed ‘credential cracking’ in a new handbook from OWASP (the Open Web Application Security Project)"
"Data breaches on the scale of Yahoo are the security equivalent of ecological disasters"
"We’re looking at hundreds of different signals to analyse the ways that real human activity should look in every single transaction."
"If you’re one of the 500 million people whose Yahoo! accounts were breached, you are now being actively targeted."
"Automated threats are responsible for millions in fraud losses per day"
"Shape Security Announces Partnership With Hewlett-Packard Pathfinder. The security provider will accelerate its growth due to its latest round of investments."
"One of the unintended consequences in the rise of eCommerce is a related rise in cyberfraud attacks on online shoppers."
"Shape Security raises $40 million, lands HPE as partner, investor."
"Cybersecurity startup Shape Security raised $40 million in funding on Thursday to expand sales in the U.S. and internationally."
"Today’s top three cybersecurity threats are not manual attacks like in the olden days of hackers, but rather automated attacks that are difficult to stop."
"Shape Security is now protecting 20 percent of the world's in-store mobile payments."
"The growing concern over online security is leading to a growing investment in cybersecurity platforms."
"Yahoo likely faced a dilemma in efforts to reset user passwords following the breach."
"Six lawmakers question why it took Yahoo two years to discover breach as experts warn of the implications of the record-breaking haul of password data."
"A password can be changed, after all, but how do you change your mother's maiden name"
"As investors and investigators weigh the damage of Yahoo's massive breach to the internet icon, information security experts worry that the record-breaking haul of password data could be used to open locks up and down the web."
"Hacked passwords that are transacted in darknet domains usually end up in password databases. This is where the big problem arises."
"A big worry is a cybercriminal technique known as "credential stuffing," which works by throwing leaked username and password combinations at a series of websites in an effort to break in"
"Credential spills are one of the most widespread, yet misunderstood, security breaches."
"A cybercriminal using 500 million passwords to attempt to take over accounts on another website would be able to take over tens of thousands of accounts on most other websites."
"Top five biggest hack of all time."
"The real issue now is that these passwords will be used to breach thousands of other websites unrelated to Yahoo."
"We typically see a 0.1% to 2% login success rate from credential stuffing attacks, meaning that a cybercriminal using 500 million passwords to attempt to take over accounts on another website would be able to take over tens of thousands of accounts on most websites"
"This cycle [of credential spills] is typical, but the scale is pretty astounding"
"cybercriminals use advanced automated tools to discover where users have used those same passwords on other sites."
"The real issue is what will happen next with these passwords."
"In the case of credential stuffing, the most commonly used standalone management tool we have observed enabling attacks is called Sentry MBA"
"The hackers are believed to have been stealing user credentials from around 85 companies, including Amazon, American Airlines, Apple Pay, AT&T, Best Buy, DropBox, Dunkin' Donuts, Ebay, GoDaddy, Match.com, McDonald's, Office Depot, PayPal, Pizza Hut, Steam, Uber and Wells Fargo."
"Cybercriminals are getting creative, and coming up with ways to interact with websites we haven't thought of before."
"If you lack the resources to integrate your own security solution from the various point products on the market, Care recommended using a "one stop shop" solution that uses Layer 1 (endpoint) and Layer 3 (user data)."
"A new report released by Shape Security yesterday details how the Sentry MBA tool makes credential stuffing attacks more widely available to cybercriminals."
"Shape Security warns of the growing threat of the hacking tool, which is able to bypass many modern IT defenses."
"Shape Security, a California-based Web security firm, warned that the tool is an example of how cybercrime is increasingly compartmentalized and commoditized."
"RSA 2016 Security researchers have thrown the spotlight on a popular cybercrime tool that’s used by crooks to automate the process of taking over accounts on major websites before making fraudulent purchases."
"It demonstrates the urgent need for nationwide support and coordination at the highest levels on cybersecurity issues"
"Baseline Ventures led the investment in the company that targets attacks led by bots."
"Shape's "Botwall" technology helps protect websites and mobile apps against automated attacks conducted by threat actors that use automation."
"The same tricks that make attack bots blind on the Web are now blinding them when they attack mobile APIs."
"Shape counts airlines, financial services companies, retailers and government entities as customers."
"Shape's software aims to inform retailers about whether attackers targeting them have targeted them in the past and to detect and prevent future attacks."
"VTech apparently had almost nothing in the way of security on their web application…"
"This attacker hasn't shared the data, but there's no way of knowing whether other attackers may have already obtained the same data…"
"Cyber Grinches scalp Santa with an automated arsenal of software programs that snap up new toy releases faster than any parent's frantic fingers can click 'buy.'"
"Watch for telltale signs that a company isn't taking security seriously, such as not using Secure Sockets Layer/Transport Layer Security (SSL/TLS) while logging in or submitting sensitive information…"
Shuman Ghosemajumder talks with Jon Fortt on the hot topic of encryption on CNBC’s Squawk Alley.
"…in an interesting twist, consultants at Shape Security discovered that at least one Icoscript strain receives C&C updates from Gmail draft messages."
Shuman Ghosemajumder offers his perspectives on the practice of paying up when confronted with ransomware attacks.
"Shape Security offered an illustration of how its Botwall service alters the underlying HTML code of a Web page so that it is constantly changing…"
Shape’s Sumit Agarwal offers his perspectives on the role of integrated access management in recent breaches.
"By succinctly defining broad but actionable rules of the playground, Shape enables its employees to experiment freely without constantly checking in with supervisors."
"Researchers at the security startup Shape Security say they’ve found a strain of malware on a client’s network…"
"Companies that require top-notch site security, such as e-commerce vendors and health-care providers, are just two of the industries the company is looking to convert."
"Shape Security. Remember that name."
"One of the most ingenious ways to make software more secure…"
“You don’t have to be more clever than the hackers. You just have to be more clever than their other targets.”
