Travel and retail industries facing wave of credential stuffing attacks

Auth0 said that in the first 90 days of 2021, their platform detected breached passwords being used at an average of more than 26,600 per day.

A new report from Auth0 has discovered that government institutions as well as travel and retail companies continue to face an inordinate amount of credential stuffing attacks. 

Auth0, which was recently acquired by Okta for $6.5 billion, released startling statistics of what they are seeing in their State of Secure Identity report.

In the first three months of 2021, Auth0 found that credential stuffing accounted for 16.5% of attempted login traffic on its platform, with a peak of over 40% near the end of March. 

About 15% of all attempts to register a new account can be attributed to bots, according to Auth0, which found that for certain industries, the numbers are even higher. 

The report also said that Auth0 maintains a constantly-growing database of username-password pairs that were known to be compromised in data breaches. For the first 90 days of 2021, the Auth0 platform detected an average of more than 26,600 breached passwords being used each day. On Feb. 9, the numbers reached a high for 2021 at more than 182,000.

Attackers will spend between $50 and $1,000 for validated credentials from credit card records, crypto accounts, social media accounts and even Netflix accounts, according to the report. 

The most commonly detected threats on Auth0's platform include credential stuffing, fraudulent registrations, MFA bypass, and breached password usage. 

Auth0's platform found that 39% of IP addresses associated with credential stuffing attacks are based in the US. The technology and travel industries account for more than 50% of all SQL injection attacks seen on the platform. 

Travel and retail enterprises are targeted the most by brute attacks activities, followed by government institutions, industrial services companies and technology organizations. The technology industry faces the most MFA brute force attempts at 42% on Auth0's platform, followed by consumer goods at 15% and financial services at 13%.

Auth0 noted that attackers often target rewards programs offered by restaurants or stores because "they are rarely secured well and the benefits are easily monetized."

Companies in the financial services industry lead the way in MFA adoption, followed by technology and industrial services, according to the report. While most people choose email or SMS as their MFA factor, many use time-based one-time passcodes as well. 

Many organizations in the technology, financial services and industrial services industries are also using bot detection programs as a way to slow down or limit credential stuffing attacks. 

Duncan Godfrey, vice president of security engineering at Auth0, said it is becoming harder and harder for security companies to secure their customers' identities because of the widespread failure to protect data and the prevalence of breached passwords. 

The availability of automated attack tools has made the humble password "a protective measure from the past," Godfrey explained.

Multiple breaches and cyberattacks in the last month originated from reused passwords or account details that had been leaked in previous attacks.