Skip to main content

Volume of credential spill incidents doubles as attacks become more sophisticated

password
(Image credit: Image source: Shutterstock/Ai825)

The number of incidents in which login details are leaked online, known as “credential spills”, has doubled in the past four years, according to a new report from cybersecurity firm F5.

While the volume of spilled credentials fell by almost half (46 percent) in the same period, with the average spill size also declining by 73 percent, the record in 2020 was particularly poor.

Last year, the median spill size was 2 million records, representing a 234 percent rise year-on-year and the highest figure since 2016 (2.75 million).

The report’s general conclusion is that companies are storing passwords in an insecure manner. Even though most businesses don’t disclose how they hash passwords, F5 claims an analysis of 90 specific incidents gave it a “sense of the most likely credential spill culprits”.

In the last three years, almost half of the incidents (42.6 percent) were the result of a lack of protection, with passwords being stored in plain text. In a fifth of cases (20 percent), password hashing algorithm SHA-1 was unsalted, while in 16.7 percent passwords were salted with the bcrypt algorithm.

The “widely discredited” hashing algorithm, MD5, accounted for a small proportion of spilled credentials even when the hashes were salted, F5 explains.

“Attackers have been collecting billions of credentials for years. Credential spills are like an oil spill, once leaked, they are very hard to clean up because credentials do not get changed by unassuming consumers, and credential stuffing solutions are yet to be widely adopted by enterprises," said Sara Boddy, Senior Director at F5 Labs.

"It is not surprising that during this period of research, we saw a shift in the number one attack type from HTTP attacks to credential stuffing. This attack type has a long-term impact on the security of applications and is not going to change any time soon."

“If you are worried about getting hacked, it’s most likely going to occur from a credential stuffing attack.”