Hackers are constantly scouring the Internet for their next target. One of their favorite things to attack is a vulnerable database server. That’s because such servers store all kinds of data that could be useful in future attacks. They’re after personal data like names, addresses… and passwords.
In a credential stuffing attack, a hacker loads up a database with as many usernames passwords as he or she can get their hands on. Those login credentials are fed into an automated hacking tool that hammers away at a website. You can think of a hacker’s password database as a key ring. The more keys there are, the more likely it is that the attacker will find one that unlocks your account.
These attacks are much more common than you might think. According to Shape Security, around 90% of all login attempts on retail websites aren’t shoppers logging in with their own accounts. They’re the result of a credential stuffing attack.
Other kinds of sites are targeted, too. Airline sites come in second, where credential stuffing accounts for about 60% of logins. Just behind airlines are online banking sites at 58%. Rounding out the top for: hotels at 44%.
It’s easy enough to see why these are the preferred targets. The attackers are hoping to break into an account either to access payment card details or to make fraudulent purchases.
Shape Security says credential stuffing attacks can be effective as often as 3% of the time. It may not seems like a large number of successful logins, but that’s 30,000 wins for every million attempts. The report’s findings underscore why you need to choose complex passwords — and why you should never, ever re-use a password on multiple sites.