Posted in:

Credential stuffing costs rising to $28.5m per organisation: study.

Research by Ponemon Institute and Akamai reveals monetary cost of cyber fraud for organisations in Asia-Pacific.

APAC-wide research to quantify the potential cost to prevent, detect and remediate credential stuffing attacks to companies in the region suggests that the cost of can range from $284,649 if 1% of all compromised accounts result in monetary loss, to an average of $28.5m if all compromised accounts result in monetary loss.

The study, ‘The Cost of Credential Stuffing: Asia Pacific’ by Ponemon Institute and sponsored by Akamai Technologies, surveyed 538 IT security practitioners familiar with credential stuffing attacks from a range of industries including financial services, retail/e-commerce, travel/hospitality, and media.

Credential stuffing usually results from fraudsters purchasing lists of stolen credentials on the Dark Web, such as user IDs and passwords, and using a botnet to validate those lists against an organisation’s login page. The end result typically is an account takeover in which fraudsters then use the stolen validated credentials to commit fraud: fraudulent purchases, fraudulent financial transactions, and the stealing of additional confidential information.

Respondents to the ‘Cost of Credential Stuffing’ stated that these attacks cause costly application downtime, loss of customers and involvement of IT security that can result in an average cost of $1.2m, $1.5m and $1.1m annually, respectively.

“The 2016 Yahoo breaches are examples of how serious the threat of credential stuffing is. The Yahoo breaches involved a total of 1.5bn credentials spilled to the Internet, protected by the weak MD5 hashing algorithm,” Akamai said in a statement. “The thefts took place in 2012 and 2013 giving the criminals up to four years to crack weak protection.”

The sampling frame for the study composed of 15,365 IT security practitioners familiar with credential stuffing attacks and are responsible for the security of their companies’ websites. A total of 591 respondents completed the survey out of which 53 surveys were removed by screening and reliability checks. The final sample consisted of 538 surveys.