Findings: F5 2021 Credential Stuffing Report with Commentary

Recently, F5 released its 2021 Credential Stuffing Report, exploring one of the most commonly-used and largely successful tools in the hackers’ arsenal. While breach volumes seem on the decline, annual credential spill incidents nearly doubled over the course of four years. According to the 2021 Credential Stuffing Report, a credential spill is “cyber-incident in which a combination of username and/or email and password pairs becomes compromised.”

The report by F5 also notes that, while industry awareness of cybersecurity best practices continue to improve, password security remains poor. Many businesses still store their password in plaintext, which proves increasingly unsecure. The median time to discover a credential spill between 2018 and 2020 was 120 days; the average time to discovery was 327 days. 

These numbers don’t bode well for password security for businesses. To gain other perspectives, we consulted with a few cybersecurity experts. Here’s what they had to say: 

Commentary on the F5 2021 Credential Stuffing Report

Saryu Nayyar

Saryu Nayyar is the CEO of Gurucul.

“The recent report from F5 on the state of credential theft volumes and their use in cyberattacks over the last four years is interesting and shows many organizations are still not following industry best practices for securing user credentials.

“Credential theft can have long-reaching and expensive aftereffects in lost revenue, incurred mitigation costs, and loss of customer trust – which is itself difficult to put a price on.  Preventing or blunting attacks before they lead to a major breach is generally much less expensive than suffering the fallout from an attack. By following best practices and making sure the organization’s security stack is up to date, including MFA, security analytics, and other technical measures, organizations reduce their risk of being breached in the first place, and can prevent extensive damage.”

Chloé Messdaghi

Chloé Messdaghi is Chief Strategist at Point3 Security.

“These statistics paint a useful picture of the crisis we’re in, but they also show that too many organizations are still running ad hoc and expanding the problem because they don’t know in a timely way when breaches happen. There are four simple steps that every organization should take. The first is passwords – company and customer account passwords should never have less than 20 characters because they’re just too easy to crack. Companies need to enforce stricter password policies, both for the good of the organization and for their customers’ sakes. Everyone should be using password managers at this point, and also be warned never to reuse a password on or from any other account. It’s just too easy for passwords to get stolen and exploited, and yet people still reuse their favorite passwords across accounts.

“Second, MFA needs to be enabled and required, and not just SMS, but MFA that allows the user to take advantage of an MFA app. Third, security must be embedded during site development. If an organization is using open source code, they need to invest in scanning to ensure that it’s safe and remember that anything you use for free needs an investment behind it. Last, invest in detection tools, backups, and encryption – all of which are essential and should be universally employed at this point.”

Garret Grajek 

Garret Grajek is CEO of YouAttest. 

“The report states: ‘Organizations are also poor at detecting breach attempts: median time to discovering a credential spill between 2018 and 2020 was 120 days, while the average time to discovery was 327 days.’

“I think this is the key point. Hackers are going to find a vulnerability somehow, someway – we are all being scanned. And once that flaw is found, e.g. an unpatched server, a weak password, an open network device – the hacker will be on our systems. From there, we MUST be able to detect their actions. The known pattern of behaviors of attackers makes identifying compromised credentials (hacked accounts) possible. We know that a hacker is going to want to move around the network (lateral movement) and escalate their privileges of the overtaken account (privilege escalation). This latter action, privilege escalation, is what hackers use to take normal “user” accounts and turn them into “admin” accounts. This allows them access to more networks, more servers, and more data.

“These privilege escalations are detectable if the enterprise is conducting regular and triggered access and privilege reviews, and is what cloud identity governance does for the enterprise.”

Thanks to these cybersecurity experts for their time and expertise on the F5 2021 Credential Stuffing Report. For more information, check out our Identity Management Buyer’s Guide.