Contributed by Shape Security

More than three billion credentials were reported stolen worldwide in 2016.

Over the past twelve months the number of reported stolen credentials has set an all-time record, with Yahoo in particular being responsible for the first and second-largest reported credential spills in history.

Shape Security has a unique view into this activity. Since our technology protects the online applications of the world’s largest corporations in financial services, retail, travel, and other industries, as well as some of the largest government agencies in the world, the Shape network is able to observe the use of stolen credentials globally.

Shape has identified millions of instances of credentials from reported breaches being used in credential stuffing attacks on other websites, with up to a 2% success rate in taking over accounts on systems that did not report public data breaches. As a result, automated fraud losses from credential stuffing is in the billions of dollars worldwide, based on the value of accounts taken over. The most commonly targeted account systems include bank accounts, retail gift card accounts, and airline and hotel loyalty programs.

The theft of user credentials and their use in attacking other sites is now so widespread that it prompted the National Institute of Standards and Technology in December to recommend, in the Draft NIST Special Publication 800-63B Digital Identity Guidelines, that online account systems check their users’ passwords against known spilled credential lists, as companies such as Facebook are already doing. If the password chosen by a user appears on the list, NIST recommends that the user be informed that they should choose a different password since their chosen password is not considered secure.

Credential theft has now reached the point that every organization operating a publicly accessible web or mobile application should be aware of the implications to their business and investigate how to effectively protect their company and their users.

This report features findings about the 3 billion credentials reported spilled in 2016, analysis of the scale of credential theft & insights into how stolen credentials are used in attacks.