The travel and retail sectors are the top targets for credential stuffing attacks, according to Auth0’s State of Secure Identity report. Credential stuffing is a type of brute-force attack in which attackers launch automated login attempts against accounts using leaked password dumps.
“Because of insecure password habits (e.g., password reuse, using common words, etc.), a small number of optimizations — including leveraging lists of breached passwords and dictionaries of words that are frequently incorporated (yes, like “password”) — can dramatically improve an attacker’s likelihood of trying the correct password,” the researchers explain.
Auth0 shares the following findings:
- “In the first 90 days of 2021, credential stuffing accounted for 16.5% of attempted login traffic on its platform, with a peak of over 40% near the end of March — all of which Auth0 detected and prevented.
- “Travel & leisure and retail are the top two industries most affected by credential stuffing attacks.
- “The number of fraudulent registrations varies by industry vertical, but roughly 15% of all attempts to register a new account can be attributed to bots.
- “In the first 90 days of 2021, the Auth0 platform detected breached passwords at an average of more than 26,600 per day, with a minimum of just under 7,300 and a high on Feb. 9, 2021 exceeding 182,000.”
While multi-factor authentication (MFA) is an extremely effective layer of defense against these attacks, Auth0 also notes that attackers continue to attempt to bypass MFA measures.
“The most common attack vector is to apply brute force in an attempt to ‘guess’ the authentication code (i.e., the one-time password, or OTP) used in several MFA methods,” the researchers write. “In the first four months of 2021, Auth0 logged more than 87,000 attempts to brute force an OTP.”
New-school security awareness training can teach your employees to follow security best practices so they can avoid falling victim to these attacks.
Auth0 has the story.