Credential spill incidents double as hacker sophistication continues to rise

The average spill size also declined, falling from 63 million records in 2016 to 17 million last year. Meanwhile, the 2020 median spill size (2 million records) represented a 234% increase over 2019 and was the highest since 2016 (2,75 million).

How credential stuffing bots bypass defenses

To perform a credential stuffing attack, the tool needs a stolen credential list to run against the targeted web login. These credential lists are simply a file of usernames (usually email addresses) and passwords. If the attacker hasn’t already obtained a batch of them through phishing, they can easily turn to the dark web.