"Credential Theft Attacks Doubled Between 2016 and 2020"

According to security researchers, the number of attacks resulting in large-scale credential theft has almost doubled over the past four years, although the volume of breached login pairs declined. The average breach volumes declined from 63 million records in 2016 to 17 million in 2020, but poor security practices is driving downstream risk exposure. The researchers found that plaintext storage of passwords was responsible for the most significant number of spilled credentials (43%), followed by unsalted SHA-1 hashed passwords (20%). At the same time, discredited hashing algorithm MD5 remains surprisingly common. Organizations are also poor at detecting breach attempts. The researchers found that the median time to discovering a credential spill between 2018 and 2020 was 120 days, while the average time to discovery was 327 days. Over 60% of the 100 billion credential stuffing attacks detected over the previous two years were targeted at retail, travel, and hospitality businesses, with retail accounting for over 90% of these.

Infosecurity reports: "Credential Theft Attacks Doubled Between 2016 and 2020"