It’s that time again! SpyCloud’s 2021 Annual Credential Exposure Report is here, rounding up the data cybercriminals have shared over the last year and exploring what it means for enterprises and consumers.
Key findings include:
1.5 billion credentials recovered from 854 total breaches (up 33% from 2019), with an average breach size of 5.4M records
4.6B personally identifiable information (PII) assets collected, including 1.2B phone numbers, 70M account secret answers, and 1M bank account numbers
1.6M passwords collected in 2020 contained “2020”; 193,073 passwords included pandemic keywords (corona, virus, coronavirus, mask, covid, pandemic)
270k credentials containing .gov emails recovered from 465 breaches, with a password reuse rate of 87%
2020 wasn’t a typical year. The global COVID-19 pandemic forced a heightened awareness of ever-present threats, opened countless new doors for criminals, and sent the security community scrambling to catch up and make sense of it all. And yet, many things remained the same. According to our findings, rampant password reuse continues to be a problem, leaving enterprises and their customers at risk of account takeover (ATO).
Criminals wasted no time preying on our collective vulnerability in 2020. As early as March, there was an onslaught of activity that leveraged the coronavirus to manipulate users through various threat types, from phishing campaigns impersonating public health officials to scams promising immunity. And just as the virus fueled criminal activity, it also drove the fundamental shift to remote working. Practically overnight, many businesses had to rapidly change how employees used technology. As a result, initiatives that normally would have spanned years were implemented in haste, leaving weaknesses exposed. Meanwhile, users spent more time online, created more online accounts, and blended more boundaries between work, personal, and family online activity, expanding the criminal playing field.
Throughout this unusual time, SpyCloud’s researchers have been embedded in criminal networks, using human intelligence (HUMINT) to recover stolen data before it reaches a broader criminal audience or goes public. Because we collect data early in the breach lifecycle, we can help enterprises secure their employee and consumer accounts before the most dangerous forms account takeover begin. As a result of this work, the data we’ve collected provides unique insight into breaches and botnet logs that have been released to criminal communities throughout the last year.
Check out the trends our researchers have observed below, and download the full 2021 Annual Credential Exposure Report for a deep dive into the 1.5 billion credentials and 4.6 billion PII assets our team has collected.
2020 Credential Exposure Trends
Retail fraud cut into margins
From ordering household necessities to splurging on retail therapy from online boutiques, the pandemic accelerated ecommerce to triple digit percentage growth. Cybercriminals not only pounced on this sea change in consumerism, they also preyed on our collective vulnerability with COVID-19-related malware distribution scams promising virus cures and low-cost PPE.
In response to COVID restrictions, many brick-and-mortar retailers leaned heavily on buy-online-pickup-in-store (BOPIS) programs with great success. BOPIS saw a 62% year-over-year increase in activity from February 24 to March 21, 2020 alone. But for every good intention there is someone out there eager to exploit it; in recent years, BOPIS-related fraud has jumped 250%. The rise of BOPIS provides the perfect cover for criminals to monetize stolen accounts.
Over the last year, SpyCloud recovered nearly 1.5 billion credentials from the criminal underground — data that bad actors are actively using to take over users’ accounts and commit online fraud. Meanwhile, password reuse rates have not declined; SpyCloud observed a 60% password reuse rate for users with more than one password exposed in the last year, matching last year’s rate exactly.
Remote life blurred personal and professional boundaries
When the world shifted into lockdown mode, criminals were more than ready. The rest of us, not so much. Practically overnight, people were forced to work, learn, shop, socialize and more, online. This opened up a whole new set of security challenges for IT teams, many of whom lacked the experience, protocols and technologies to enable a remote workforce securely. For employees, the sudden shift to remote life has introduced new accounts to keep track of, and blurred the boundaries between work and personal browsing.
SpyCloud spotted evidence of remote work’s effects on security hygiene in a surprising place: botnet logs. Devices infected with credential-stealing malware can capture users’ every online move and send the data to attackers, who often share those logs with other criminals. Bad actors can use the stolen data to spoof victims’ devices, answer account security questions, bypass multi-factor authentication, and steal their identities, putting these users at exceptionally high risk of hard-to-detect account takeover and online fraud.
Last year, we noticed an uptick in the overlap between personal and corporate data collected in botnet logs, showing that people are increasingly using personal devices for work and corporate devices for play. This is bad news for corporate IT teams, who can monitor the security of employees’ work-managed devices but have no visibility into personal systems. If an employee logs into corporate resources using an infected device, attackers can easily access enterprise resources while evading detection.
Learn what to do about employees and consumers using malware-infected systems in our Infected User Response Guide.
“Superbreaches” give old data a facelift
In November, 23,600 hacked databases were leaked from a defunct “data breach index” called Cit0day, a popular service for leaked data (names, emails, usernames, addresses, and plaintext passwords) on the dark web. Much like the Collection Combolists that went public in 2019, Cit0day represents a compilation of many older breaches packaged together into a single “superbreach,” significant not because it exposes new data, but rather because of how much easier it makes it for criminals to use that stolen information for credential stuffing attacks.
The Cit0day leak included as many as 226 million usernames and passwords, although affected users have had a hard time finding enough information about how they were exposed to do anything about it. Several services could tell you that your credentials were compromised somewhere within the Cit0day breach, but couldn’t tell you which of the 23,600 databases your credentials were found in and, by extension, which exposed passwords you needed to change.
At SpyCloud, we matched the collection against our own database to understand the original sources of the breach data, deduplicate them, and make the data more actionable for our customers. As expected, much of the data was already included in our database. For the purposes of this report, we’ve counted them as a single breach.
This trend of repackaging old data into massive combolists and releasing them as newsworthy superbreaches will certainly continue, as the COMB combolist of early 2021 already demonstrated. For enterprises, the Cit0day breach and others like it serve as a reminder that stolen data sticks around and remains useful to cybercriminals for many years after the original breach.
Credential stuffing is the new data breach
Considering 2020’s unusual circumstances, it was perhaps inevitable that businesses would face heightened security threats. Zoom, Nintendo, Activision, The North Face and other brands made headlines as hundreds of thousands of consumers’ accounts landed in the hands of bad actors, exposing sensitive information such as purchase history, billing and shipping addresses, names, birthdays, telephone numbers, rewards point balances, and email addresses. However, despite the way many media outlets described the attacks, these weren’t traditional data breaches. Instead, they represent a growing trend of credential stuffing at scale being categorized as data breaches in mainstream media.
For enterprises, the distinction between whether consumer accounts have been accessed due to a breach of internal resources or via credential stuffing is critical. A breach results from a company’s failure to protect its assets and often has regulatory implications, whereas consumer account takeover is typically the result of consumers’ bad password hygiene. For consumers and media outlets, that distinction is becoming less important.
The transformation of credential stuffing’s media image begs the question: exactly how much responsibility do enterprises share for users’ password choices? Only time can tell whether changes in public perception will influence the way regulatory authorities handle consumer account takeovers. At a minimum, monitoring consumer logins for weak and stolen credentials serves as reputation mitigation, helping enterprises avoid ending up in the news for the wrong reasons.
All eyes on the supply chain
2020 ended with the revelation of the largest supply chain attack we’ve ever seen, affecting over 17,000 enterprises and government agencies. Attackers used SolarWinds’ update servers to deliver a trojan that FireEye researchers have dubbed SUNBURST, providing attackers with an entrypoint into the networks of major customers like the U.S. Department of Homeland Security, U.S. Treasury Department, and Microsoft. Some have estimated that recovery costs for affected customers will surpass $100 billion.
Poor password security played an important role in the attack. For starters, SolarWinds’ update servers were secured using a password format our data shows is all too common: solarwinds123. (A recent SpyCloud analysis of Fortune 1000 employee data revealed that 6 of the top 10 most popular Aerospace & Defense sector passwords include company names.) In addition, compromised credentials from multiple employees enabled attackers to access network resources and extend their foothold. Attackers also bypassed popular multi-factor authentication software, serving as a reminder that while MFA provides an important layer of account protection, it’s not foolproof.
The SolarWinds attack was by far the largest supply chain attack of 2020, but it certainly wasn’t the only one. Going forward, we expect criminals to continue to target the supply chain, and compromised credentials will surely come into play again.
Need a new password? Check the headlines!
After such a turbulent year, we wondered if users might have taken some inspiration from 2020 trends and events when creating their passwords. We checked last year’s recovered credentials for some popular words to find out how often they had appeared.
Sure enough, we found these keywords embedded within over 2 million passwords. Since this list isn’t limited to complete passwords, our imaginations have run wild wondering how people have used these terms in context and what sentiments they may have been expressing (‘sourdough4ever’ or ‘sourdoughsadness’?).
Each year has its cybersecurity themes — in the past, criminals have taken advantage of natural disasters, election cycles, and economic turmoil. 2020 was a pandemic year, and it stands to reason that the trends of 2020 will continue to disrupt our lives in new, accelerating ways.
Coupled with high rates of password reuse, the 1.5 billion exposed credentials SpyCloud identified in 2020 represent significant account takeover risks for both consumers and enterprises. In order to trust the identities of their consumers, employees, and third parties, enterprises must build early detection and remediation of exposed credentials into their cybersecurity strategies.
Download the full 2021 Annual Credential Exposure Report to see the rest of our findings, including the top breaches of 2020, breach exposures tied to government credentials, and more year-over-year trends.