Coronavirus outbreak triggered a rush of online attacks against retail loyalty schemes, Akamai reckons

Coronavirus outbreak triggered a rush of online attacks against retail loyalty schemes, Akamai reckons

Hackers are breaking into online loyalty card accounts using stolen credentials or easily obtainable information, and then not only ransacking the profiles' balances but also harvesting victims' personal data for subsequent identity theft, Akamai has warned.


In its Loyalty for Sale – Retail and Hospitality Fraud report published today, Akamai reckoned that ne'er-do-wells began actively targeting retail, travel, and hospitality sectors with a wave of credential-stuffing attacks that accelerated as the COVID-19 pandemic forced most retail activity onto the web.


Credential stuffing is where a miscreant obtains usernames and passwords from one hacked website, and then plugs those details into another website and gains access to accounts sharing the same login details. It's why you should use a unique password for each site and service you use online: if one customer database is leaked, it shouldn't lead to the unlocking of all your other accounts.


“Criminals are not picky, anything that can be accessed can be used in some way,” said Steve Ragan, Akamai security researcher and author of the report. “This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft.”



This is why credential stuffing has become so popular over the past few years



Over a two year period – July 2018 to June 2020 – Akamai researchers said they recorded a total of 63 billion credential-stuffing attacks targeting retail, hospitality and travel, with 90 per cent of those aimed squarely at online retailers. They also claimed they observed more than 100 billion credential stuffing attacks in total durin ..