Company M: a Case Study Demonstrating AllCreds' Effectiveness in Combating Credential Stuffing Attacks
myNetWatchman analyzed the 48 million credentials and 533,000 successful account takeovers from a large-scale credential stuffing attack against our repository of over 30 billion compromised credential pairs. This analysis was performed after-the-fact, but had myNetWatchman’s AllCreds service been applied proactively, 91 percent of the account takeovers could have been stopped, as they used credential pairs we had previously identified as compromised. In this comprehensive case study, myNetWatchman analyzed data from a client credential stuffing attack that spanned four months using nearly 48 million compromised credential pairs. This large-scale attack took place in early 2024 against an omni-channel retailer with a large, global online sales presence, referred to as “Company M.” Company M faced a threat many online organizations see frequently: credential stuffing attacks. Many consumers have poor password hygiene, reusing passwords or credential pairs and making it easier for criminal actors to find success with account takeover attacks through credential stuffing. Credential stuffing involves systematically testing lists of compromised credential pairs, which are abundant as data breaches occur frequently and are often large. The credential stuffing attack against Company M exemplified the severity of poor consumer password hygiene. Out of tens of millions of unique credential pairs tested, over half a million customer accounts were able to be successfully accessed — a 1.13 percent success rate. The overall success rate, including repeated attempts, was 1.7 percent. myNetWatchman’s analysis of the compromised credentials used against Company M found that more than nine-tenths of the successful logins involved credential pairs that were previously tested on other sites. Leveraging myNetWatchman’s live data surveillance and proprietary data repository of over 30 billion exposed credentials, our analysis showed that the compromised credentials presented at Company M’s site had been used or tested across thousands of other websites first. Using AllCreds as a preventive tool at login and password change to force customer step-up authentication and to change their passwords when they become compromised would have prevented 91% of the bad actors successful logins. With AllCreds, organizations can fight poor password hygiene and credential stuffing attacks by knowing not only if the presented credentials are compromised, but if they are actively being tested. This allows for strategic use of step-up authentication, such as two-factor authentication (2FA) or requiring a password change, while maintaining a seamless user experience for legitimate users.