chombosan - stock.adobe.com

Video providers slammed by credential stuffing attacks

Attacks on the media sector are spiking as cyber criminals try to gain access to valuable consumer accounts

Nearly a fifth of all credential stuffing cyber attacks – 17 billion out of 88 billion – observed during 2019 targeted media and content delivery services, and this is likely to be exacerbated by the Covid-19 coronavirus pandemic, according to statistics gathered by Akamai.

In its latest State of the internet report, which has already been delayed due to the pandemic, Akamai reported a 63% year-on-year increase in attacks against video media firms, a 630% increase in attacks against broadcast TV companies, and a 230% increase in attacks against video sites, apparently coinciding with an explosion of on-demand media content during 2019.

The US was by far the top source of credential stuffing attacks on media companies, while India was the most targeted country, following by the US and the UK.

“As long as we have usernames and passwords, we’re going to have criminals trying to compromise them and exploit valuable information,” said Steve Ragan, a security researcher at Akamai, and author of the report.

“Password sharing and recycling are easily the two largest contributing factors in credential stuffing attacks. While educating consumers on good credential hygiene is critical to combating these attacks, it’s up to businesses to deploy stronger authentication methods and identify the right mix of technology, policies and expertise that can help protect customers without adversely impacting the user experience.”

Ragan said that the value to cyber criminals from taking control of media service accounts lay both in access to premium content, such as Amazon Video, Netflix or Disney+ exclusives, and in access to the personal data of the accounts’ legitimate owners.

He added that video sites were not the sole focus of such attacks in the media sector though – Akamai also observed a 7,000% increase in attacks targeting published content, with newspapers, magazines and books all still fair game.

Owing to the delay in its production, the Akamai report also includes data from the first quarter of 2020, covering the first few chaotic weeks of the Covid-19 pandemic as the spread of the virus ramped up during March.

Akamai said it had observed a massive spike in malicious login attempts against video service providers and broadcasters, with one attack falling at the end of March directing 350,000,000 attempts on a single service provider in just 24 hours. Another broadcaster in Europe was hit with a barrage of attacks with peaks ranging in the billions.

Most notably, there was a large spike in malicious login attempts against European video service providers and broadcasters during the first quarter of 2020. One attack in late March, after many isolation protocols had been instituted, directed nearly 350,000,000 attempts against a single service provider over a 24-hour period.

Separately, one broadcaster well known across the region, was hit with a barrage of attacks over the course of the quarter with peaks that ranged in the billions. Akamai did not name either service.

However, it now appears that there may be something of a glut of compromised account credentials available, as there has been a steep decline in the cost of stolen logins during the course of the first quarter of 2020, falling dramatically from a peak of about $5 per account at the end of March.

Read more about credential stuffing attacks

  • After being hit by likely credential stuffing attacks, social media service Houseparty denied its service had been hacked and offered a million-dollar bounty to anybody who could prove otherwise.
  • Credential stuffing attacks can put companies that offer online membership programs, as well as their customers, at risk. Find out how to proactively manage the threat.
  • Video-sharing website Dailymotion reset passwords for an unknown number of users following ‘large-scale’ credential stuffing attacks that lasted for more than six days before being stopped.

Read more on Hackers and cybercrime prevention