Security Market Segment LS
Tuesday, 24 January 2017 12:09

More than three billion credential spills in 2016 – 2% success rate in exploits


A 2% success rate of credential breaches equals 60 million successful logins and countless collateral damage in emptying bank accounts, ID theft, ordering goods and services, and advancing other illicit criminal activities. It is called credential stuffing.

In 2011, while serving as deputy assistant secretary of defence at the Pentagon, Shape Security co-founder Sumit Agarwal observed a rising trend in the volume and complexity of automated attacks on Web and mobile applications. At that time, he coined the term “credential stuffing” to describe the use of automation to test usernames and passwords stolen from one site on other sites with the intent of taking over a large set of accounts en masse.

This new type of threat exploited not an accidental vulnerability in an application, but rather its correctly implemented functionality: the login form where anyone could enter the right credentials to access an account and its data and privileges. Protecting online services from this threat was the impetus for starting Shape Security with co-founders Derek Smith and Justin Call. Shape also attracted as its chief technology officer Google’s former click fraud czar, Shuman Ghosemajumder.

Shape analyses more than one billion high-value transactions per week — primarily login requests — to detect and protect against credential stuffing and other attacks and has been able to observe the global automated use of stolen credentials. It has just released its 32-page, 2017 Credential Spill Report (registration required for a free report) and iTWire has summarised the most salient points.

2016 credential spills: 3.3 billion plus reported – the top 10 were:

  • Yahoo - 1,000,000,000 14/12/2016
  • Yahoo - 500,000,000 22/9/2016
  • Friend Finder - 412,214,295 13/11/2016
  • MySpace - 359,420,698 31/5/2016
  • Badoo - 127,343,437 2/6/2016
  • LinkedIn - 117,000,000 18/5/2016
  • VK 100,544,934 5/6/2016
  • Rambler.Ru - 98,167,935 5/9/2016
  • Dropbox - 68,680,741 30/8/2016
  • Tumblr - 65,469,298 12/5/2016

Technology websites had the most stolen credentials followed by social media and adult sites.

Credential stuffing: the use of stolen logins and passwords on other sites has up to a 2% success rate as the same login and password are frequently used on multiple sites.

Most companies have limited or no visibility into, or are unaware of, the volume of automated login traffic from credential stuffing attacks. These attacks appear as legitimate requests to the security controls in place on most applications – brute force techniques that would be blocked are not used. When the simulation of this behaviour is fully automated, credential stuffing attacks can achieve great scale and efficiency.

In fact, Shape observed that 90% of login requests on many of the world’s largest Web and mobile applications are coming from credential stuffing. Forgetting cyber crime for a minute, imagine the heavy load that automated traffic places on major websites, taxing infrastructure and adding login latency for real users.

But worse still Shape is seeing up to a 2% success rate – over 60 million successful logins on other sites.

Ongoing use of credential spills

Successful logins are quickly sold on the dark Web, and broadly resold and exploited. Cyber criminals buy lists, rent botnets, use sophisticated tools to bypass CAPTCHAs etc., and sit back and wait for success.

“A breach anywhere is a breach everywhere,” said Ghosemajumder. He says that while for example Yahoo! may reset all users passwords, other sites using the same login and password are still at risk.

They are also used for fake account creation, extortion, or money laundering, none of which may be evident to the owner.


Shape says 2016 was the tip of the iceberg – credential spills will continue as cyber criminals continue to exploit security vulnerabilities to steal credentials and sell them on the dark Web.

It says as additional cyber criminals discover how easy both the theft of credentials and the execution of credential stuffing attacks are, it increases both supply and demand for stolen credentials and makes it likely that the pace of credential spills will increase in the coming years.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Ray Shaw

joomla stats

Ray Shaw  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News