Hackers account for 90% of login attempts at online retailers

There have been at least 16 high-profile data breaches in the first half of 2018, but online retailers are being hit the hardest.

Selling stolen personal data is a big business for hackers. Somewhere on the dark web, your e-mail address and a few passwords are probably for sale. Cybercriminals buy troves of this information to try to login to websites where they can grab something valuable like cash, airline points, or merchandise.

A new study by cybersecurity firm Shape Security found that more than 90% of the login traffic of online retailers actually comes from hackers using stolen login data. Last year, 1.4 billion passwords were hacked, leaked, and dumped into an online document that circulated the information for hackers to reuse. And selling the information on the dark web is a business for online hackers.

According to Shape Security, online retailers are hit the most by these attacks. The airline and consumer banking industries are also under siege, with about 60% of login attempts coming from criminals.

Hackers are using programs to apply stolen data in a flood of login attempts called 'credential stuffing' to breach accounts. 51 data spills were reported last year with more than 2 billion credentials leaked.

Those who use the same combination of email address and password across multiple online services are likely to fall victim to this type of attack.

Consumers are advised to change their passwords regularly to avoid exposure.
According to Quartz, credential stuffing attacks are successful at least 3% of the time, which might sound like a small number, but the costs add up. Shape Security’s report found that these breaches can cost online business nearly $6 billion per year. And when consumer data is repeatedly targeted online, it can create a lack of trust in a company.