Credential spills have doubled in the last four years

'Credential spills are like an oil spill: once leaked, they are very hard to clean up'

A new report by cyber security firm F5 Labs reveals that the number of credential spill incidents nearly doubled between 2016 and 2020 - although the average spill size shrank, from 63 million records in 2016 to 17 million records in 2020.

A credential spill is a cyber-incident in which a combination of username, email and/or password pairs is leaked online. After stealing credentials, the attackers automatically enter them into websites until they are tentatively matched to an existing account, enabling them to access those accounts for malicious purposes.

'Credential spills are like an oil spill: once leaked, they are very hard to clean up because credentials do not get changed by unassuming consumers,' says Sara Boddy, senior director of F5 Labs.

Boddy believes that this attack type will continue to have a long-term impact on the security of applications.

According to F5, cyber security best practice awareness has improved in recent years, although poor password security remains a big concern for the industry.

In the last three years, about 42 per cent of password spilling incidents occurred as a result of passwords being stored in plain text. In 20 per cent of incidents, the password hashing algorithm SHA-1 was unsalted (lacking a unique value that can be appended at the end of the password to generate a different hash value), while in about 17 per cent of incidents, passwords were salted with the bcrypt algorithm.

The MD5 hashing algorithm, which is commonly thought to be weak, accounted for a small number of spilled credentials (0.4 per cent), even when the hashes were salted.

Organisations are also struggling with detecting and discovering incidents of intrusions and data exfiltration. Between 2018 and 2020, the average time to discover such incidents was about 11 months (327 days), while in 2018, it took an average of 15 months for a credential spill to be discovered.

Moreover, data breaches are often detected on the dark web before organisations disclose them.

In 2019, the Internet/Security report by content delivery giant Akamai revealed that cyber criminals launched around 3.5 billion credential stuffing attempts during the 18-month period from November 2017 to April 2019 - specially targeting the financial sector.

Akamai said 94 per cent of the attacks against financial institutions were performed using just four techniques: SQL injection; OGNL Java injection; XSS; and local file inclusion.

The attackers also resorted to DDoS attacks in 800 attempts to target financial services, either to exploit a web-based flaw or as a distraction to carry out credential stuffing attacks.