Over 60% of credential stuffing attacks detected over the past two years have been targeted at retail, travel and hospitality businesses, according to Akamai.

The security vendor’s latest report, Loyalty for Sale, is compiled from internet traffic flowing through its extensive global content delivery network.

It revealed that, during the period July 1 2018 to June 30 2020, it detected over 100 billion credential stuffing attempts. Almost 64 billion of these were aimed at cracking open user accounts in the retail, travel and hospitality sectors.

Further, retail accounted for the vast majority (90%+) of the attacks aimed at these verticals.

Such attacks remain popular given the continuous surge of breached log-ins onto underground sites and the potentially rich pickings to be found inside cracked accounts.

“Criminals are not picky — anything that can be accessed can be used in some way,” said Steve Ragan, Akamai security researcher and report author.

“This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold and traded, or even compiled for extensive profiles that can later be used for crimes such as identity theft.”

Akamai also claimed that during the early days of the COVID-19 crisis as consumers flooded online sites to purchase goods, cyber-criminals began recirculating old credential lists in an attempt to identity new vulnerable accounts.

The report identified not just credential stuffing activity but also attempts to compromise sites directly via SQL Injection (SQLi) and Local File Inclusion (LFI) attacks.

Akamai detected nearly 4.4 billion web attacks against the retail, hospitality and travel sectors, comprising 41% of the total across all verticals. Once again, retail (83%) was the most popular target, while SQLi attacks (79%) were the number one choice of cyber-criminals across the three verticals.