Millions Lost Due to Credential Stuffing

Aberdeen Report reveals that 76 percent of B2C companies are affected by credential stuffing attacks

Jul 29, 2022 4:10:00 PM - 2 min.

Zurich, July 2022 – With the help of leaked password databases, cybercriminals are repeatedly able to take control of user accounts. They do this using highly automated tools that can run millions of combinations of user names and passwords in a matter of minutes. Consequently, just one of these credential-stuffing attacks can involve thousands of victims. For companies with a strong online focus, these types of account takeovers have become a financial business risk – as revealed in the latest quantitative analysis from the strategy consultants at Aberdeen.

For its report, Aberdeen concentrated on ten selected B2C categories in the EMEA region: first of all, business banks, credit unions, savings institutions and financial technology, and also property and accident insurers as well as consumer electronics, networks of healthcare providers, online gambling, telecommunications and energy suppliers. The investigation revealed just how widespread credential-stuffing attacks are at present, with 76 percent of respondents stating that some of their online users had fallen victim to successful account takeovers in the last twelve months.

Once they have gained access to a user account, criminals can exploit it for all sorts of purposes. Based on Aberdeen’s findings, this results primarily in fraudulent transactions (39 percent), the creation of new accounts (34 percent) as well as incorrect rejections of card payments (34 percent). Other typical consequences of account takeovers include debit reversals (18 percent), the transfer of money or other fungible assets (11 percent), fraudulent purchases (11 percent) as well as the theft of digital content and services (11 percent).

Cyberattacks hurt profitability

In addition to these direct consequences, there are other indirect consequences – such as a drop in the number of active users, who are either deterred by stricter security measures or switch to competitors. Consequently, the costs of successful cyberattacks can quickly run up significant sums that cannot simply be written off as inevitable ‘costs of doing business’. In all ten sectors investigated, the consequences of account takeovers exceeded ten percent of annual profits – putting them above the business threshold of financial materiality.

Aberdeen also examined the question as to how companies are trying to protect themselves against the growing number of credential-stuffing attacks. This revealed an increasing move away from username/password model towards multi-factor authentication solutions. For instance, 42 percent of companies surveyed currently use mobile apps for multi-factor authentication – although only 24 percent of them endorsed the introduction of these systems in the future. On the other hand, participants in the study see strong potential for innovation in passwordless approaches, which are both user-friendly and cost-efficient for the providers. And while just 20 percent have so far introduced passwordless (adaptive, context-based, transparent) processes, as many as 46 percent plan to do so in future.

Credential stuffing remains popular with criminals

For attackers, credential stuffing is currently an attractive method in several respects. Firstly, lists of login information that have been released to the public as a result of data breaches or hacks are easily purchased on the darknet. Secondly, all business relationships based on digital accounts require digital login information. Unless additional security measures are taken, this information is vulnerable to brute-force attacks such as credential stuffing. Thirdly, the attacks are easy to automate. The perpetrators do not even need programming skills but can simply rent the necessary programs on the darknet based on the software-as-a-service principle.

This lucrative business model is only likely to disappear if most companies switch their user accounts to secure processes such as multi-factor authentication and, especially, passwordless authentication.



About Nevis

Nevis develops security solutions for the digital world of tomorrow. Its portfolio encompasses passwordless logins, which are intuitive to use and offer optimal protection for user data. Nevis is the market leader for Identity and Access Management in Switzerland and secures over 80 percent of all online banking transactions. Public authorities, leading service providers, and industrial enterprises worldwide rely on Nevis solutions. The authentication specialist has locations in Switzerland, Germany, and Hungary. 

Press Contact

LEWIS Communications GmbH
Ingo Geisler,

Download now