The number of annual credential spill incidents nearly doubled from 2016 to 2020, according to F5’s latest Credential Stuffing Report.

The most comprehensive research initiative of its kind reported a 46% downturn in the volume of spilled credentials during the same period. The average spill size also declined, falling from 63 million records in 2016 to 17 million last year. Meanwhile, the 2020 median spill size (2 million records) represented a 234% increase over 2019 and was the highest since 2016 (2,75 million).

Credential stuffing, which involves the exploitation of large volumes of compromised username and/or email and password pairs, is a growing global problem.

“Attackers have been collecting billions of credentials for years. Credential spills are like an oil spill, once leaked, they are very hard to clean up because credentials do not get changed by unassuming consumers, and credential stuffing solutions are yet to be widely adopted by enterprises. It is not surprising that during this period of research, we saw a shift in the number one attack type from HTTP attacks to credential stuffing. This attack type has a long-term impact on the security of applications and is not going to change any time soon,” said Sara Boddy, Senior Director of F5 Labs. “If you are worried about getting hacked, it’s most likely going to occur from a credential stuffing attack.”

Sander Vinberg, Threat Research Evangelist at F5 Labs, and report co-author, urged organizations to remain vigilant.

“While it is interesting that the overall volume and size of spilled credentials fell in 2020, we should definitely not celebrate yet,” he warned “Access attacks – including credential stuffing and phishing – are now the number one root cause of breaches. It is highly unlikely that security teams are winning the war against data exfiltration and fraud, so it looks as though we’re seeing a previously chaotic market stabilize as it reaches greater maturity.”

Get the full story (and download the report) here.