Although the total volume of spilled credentials has decreased, it is the size of midsize incidents that is growing considerably, with 2 million records each affected in 2021. F5 alerts that the exploitation of leaked data through credential stuffing is a global problem.
Credential spills, a security incident that involves the leakage of a combination of data consisting of a username and/or email and password, have doubled in the 2016-2020 period. According to the F5 Credential Stuffing Report, although the total volume of credential spilled in said has fallen by 46%, and in 2020 amounted to 17 million, the report reveals that what is growing is the size of medium-sized incidents, since in 2020 2 million records were affected in each of them, which is 234% more than in 2019.
The exploitation of leaked data, in practice known as credential stuffing, has already become a global problem. “If you’re being hacked right now, it’s most likely due to a credential stuffing attack,”
Experts says that “credential spills are like an oil spill, once they occur, they are very difficult to clean up because users do not change their data and passwords and companies have not yet massively adopted solutions that prevent credential stuffing. This type of attack has a long-term impact on application security, so it is not uncommon for it to have outperformed HTTP attacks in the period studied ”.
According to the report, poor password storage remains one of the most recurring problems. Thus, 42.6% of credential spills in the last three years have shown that there was no protection for passwords stored in plain text. In 20% of the cases, the credentials related to the SHA-1 password hashing algorithm lacked a unique value that can be added to the end of the password to create a different hash value.
Another observation in this report is the increase detected in fuzzing techniques with the aim of improving the success rate when exploiting stolen credentials. Fuzzing is a process that seeks to find vulnerabilities by analyzing input codes, repeatedly testing with modified inputs. F5 has proven that the majority of fuzzing attacks occur before compromised credentials are published, leading to the belief that it is a very common practice among more advanced attackers.
If in 2018 a spill of credentials took an average of 15 months to become public, at this time, that period has dropped to 11 months. For its part, the average time to detect an incident of this type is 120 days. F5 claims that the announcement of a spill by the company often coincides with the appearance of the stolen credentials on the Dark Web forums.