A new report from Auth0[1] has discovered that government institutions as well as travel and retail companies continue to face an inordinate amount of credential stuffing attacks.
Auth0, which was recently acquired by Okta for $6.5 billion[2], released startling statistics of what they are seeing in their State of Secure Identity[3] report.
In the first three months of 2021, Auth0 found that credential stuffing accounted for 16.5% of attempted login traffic on its platform, with a peak of over 40% near the end of March.
About 15% of all attempts to register a new account can be attributed to bots, according to Auth0, which found that for certain industries, the numbers are even higher.
The report also said that Auth0 maintains a constantly-growing database of username-password pairs that were known to be compromised in data breaches. For the first 90 days of 2021, the Auth0 platform detected an average of more than 26,600 breached passwords being used each day. On Feb. 9, the numbers reached a high for 2021 at more than 182,000.
Attackers will spend between $50 and $1,000 for validated credentials from credit card records, crypto accounts, social media accounts and even Netflix accounts, according to the report.
The most commonly detected threats on Auth0's platform include credential stuffing, fraudulent registrations, MFA bypass, and breached password usage.
Auth0's platform found that 39% of IP addresses associated with credential stuffing attacks are based in the US. The technology and travel industries account for more than 50% of all SQL injection attacks seen on the platform.
Travel and retail enterprises are targeted the most by brute attacks activities, followed by government institutions, industrial services companies and technology organizations. The technology industry faces the most MFA brute force attempts at 42% on