In fact, according to the report, between May and December of 2018, there were approximately 28 billion credential stuffing attempts made. One of the web’s largest retail sites suffered over 115 million bot-driven login attempts in a single day.
A spokesman for Akamai had this to say about the report:
“The insidious AIO (all-in-one) bots hackers deploy which are multi-function tools that enable quick purchases by leveraging credential stuffing and a number of evasion techniques, allowing a single AIO bot to have the ability to target more than 120 retailers at once.
A successful AIO campaign may go completely undetected by a retailer, which might see the online sales and record-setting transactions as proof its product is in demand. They’ll have little to no indication that its inventory clearing was automated and used to fuel a secondary market or scrape information from its customers.”
In most cases, the damage caused by credential stuffing attacks is limited. Customers whose accounts are compromised may find that they lose points or perks, and that unauthorized charges are made on their accounts. In some cases, a credential stuffing attack could lead to an attacker gaining a foothold inside your corporate network. Also, large and pervasive attacks could strain web resources and have (on more than one occasion) crashed a web server.
Even in cases where your business isn’t directly impacted, an attack on your customers’ accounts is still an attack on you. Unfortunately, with so many stolen credentials available on the Dark Web, it’s a notoriously difficult problem to come to grips with. The best thing you can do is remain vigilant and maintain excellent communications with the customers you serve.