It’s OK to Cry Over Spilled Credentials

Posted by

From a young age, we are taught not to cry over spilled milk. We inevitably come to learn that this euphemism is generally intended to have a broader application than dairy beverages, and also learn that crying is sometimes an acceptable response so long as it is followed by a corrective action. It follows that spilled credentials may warrant some tears, but a recent study by Shape Security suggests that there currently is no comprehensive solution to address this problem. We are not to suggesting that tears over the credential spill will suffice. Indeed, Shape provides an overview of what regulators and standard bearers are doing to address this widespread problem.

Credential spilling occurs when a data breach results in the harvest of credentials (i.e. username and password combinations), which are as Shape calls them, “the keys to the internet kingdom” and the harvested credentials are later used to access other websites and mobile apps. Shape’s report studies “how criminals stole, weaponized and resold those credentials and how they turned compromised accounts into profits.” Of course, profits for criminals stealing these credentials equates to liabilities for the target of the theft. This is Shape Security’s second annual credential spilling report, and proclaims to have aggregated the data based on all but two reported credential spills reported by the media in 2017. Shape is well-positioned to provide its perspective based on its business of providing protection from credential stuffing to its customers, which include “huge swaths of US industries, including 60% of airlines, 40% of hotels, and 40% of consumer banking.”

One of the most shocking statistics highlighted in Shape’s report is the high proportion of login traffic that is credential stuffing attacks. Shape reports that 91% of login traffic in the retail industry is attributable to credential stuffing attacks. The airline, consumer banking, and hotel industries follow the retail industry as the most prominent industries targeted by credential stuffing attacks. And, despite the frequency of credential spilling and stuffing, Shape’s report paints a relatively bleak picture of the regulatory landscape addressing what seems to be a problem impacting well-heeled companies across industries that should be on the cutting edge of cybersecurity.

Other than providing a shocking view of the prevalence of credential spilling and stuffing, the report also illustrates how a data breach propagates outward and damages more than just the target companies themselves. As the report explains, after credentials are harvested, the damage continues to flow both downstream to the consumers whose credentials are stolen, and to those other entities who have been subject to credential stuffing. In short, the damage does not end when the initial data breach is identified and cured, but has a much longer and opaque tail that continues to haunt the breach victims, and the people and entities associated with the victims, for years afterwards.