Akamai: Credential Stuffing’s Growing, Becoming More Lucrative


Credential stuffing is becoming increasingly popular and increasingly lucrative for attackers as well, according to Ritika Tandon, solutions engineering manager at Akamai.

This problem has been around 6-7 years, “but it is gaining a lot of momentum,” she said July 25 during a session called “Credential Stuffing: Attacks and Economies” at the Content Protection Summit East event, part of the Media & Entertainment (M&E) Day at the Microsoft Conference Center.

Credential stuffing is “surging in popularity” because of the increased number of data breaches in which “huge lists” of consumer data are made readily “available out there that just make it so much more lucrative for the attackers,” she said. Attackers now stand to make 10 times the cost of the credentials they have, she pointed out.

Stressing the huge scale of one recent data breach, she singled out just one recent collection including 773 million records that were listed online. What was especially interesting and what “boggled my mind was that only 21 million of these passwords were unique,” she said. That’s “not even the tip of the iceberg,” she told attendees, noting it indicates “there is a lot of information about us available out there to our attackers.”

In 2018 alone, Akamai saw about 30 billion credential stuffing attempts, she said. On three of those days, the attempts peaked at about 250 million log-in attempts, and a couple of them were within just days of each other, she told attendees.

Media is now the primary targeted industry for credential stuffing, she went on to say. That includes game companies. Media companies are the perfect targets for cyber theft, according to Akamai.

One reason for the popularity of media companies may be that it’s less expensive for attackers to target them than other types of organizations, such as those within the financial services sector, for example, the company said recently, pointing to the fact that most banks today tend to have anti-automation protection against account takeover, so it’s becoming more expensive for an attacker to target that industry than media.

At the same time, a lot of money can be made from selling subscriber details from streaming services such as Netflix, according to Akamai.

The U.S. and Canada are the top two targeted countries for credential stuffing and the attacks tend to originate most often the U.S., Russia and Canada, Tandon noted.

Steps that organizations and individuals can take to decrease their risk include using password managers, she also said during the session.

The 2019 M&E Day, which also included Smart Content Summit East conference tracks, was produced by the Media & Entertainment Services Alliance (MESA), in association with the Content Delivery & Security Association (CDSA), the Hollywood IT Society (HITS) and the Smart Content Council, and was presented by Microsoft, with sponsorship by Akamai, BTI Studios, Independent Security Evaluators, LiveTiles, MarkLogic, RSG Media, ThinkAnalytics, Amazon Web Services, the Entertainment ID Registry (EIDR), the Trusted Partner Network (TPN) and Richey May Technology Solutions.

Click here to download audio of the Akamai presentation. Click here to download the slide deck.