Credential stuffing is an automated process that uses consumer databased purchased in clandestine markets by pirates, to attempt access to consumer online accounts, including streaming and credit card accounts. If the attempt is successful, pirates sell accounts to individual streaming services for $1-5 per account, and for as much as $45 for a packaged offer with multiple services, according to a July report by Akamai.
Akamai measured 2019 increases in credential stuffing of 63% against the video media sector overall, a 630% increase for broadcast TV and a 208% increase for video sites. The increase against video sites was said to align with the launch of several major streaming video services during 2019.
The report was originally intended to cover 2019, but due to the coronavirus pandemic, the release was delayed, enabling Akamai to add a summary about Q1 of 2020, when attacks unsurprisingly increased.
In Q1, credential stuffing attacks increased by 1,450%, compared with about 200% in 2019 (compared with 2018), according to Akamai’s measurements. One European broadcaster was “hit with peaks that ranged into the billions.”
Akamai also recently released a comprehensive white paper, Inside the World of Video Pirates: How Do We Stop Them?, available via the Akamai Web site.
Why it matters
Akamai reinforces the conventional wisdom that piracy attacks increased dramatically during the first quarter of 2020, as the coronavirus pandemic began to take hold.
It will be interesting to see whether the rate and level of credential stuffing attacks continues at an elevated level, continues to increas, or begins to decline in Q2 – since other sources have documented that network traffic and video consumption are documented plateaued in April and May.
A July report by Arkose Labs also reinforces the severity of the credential stuffing problem, saying that about 60% of piracy attacks are done through automation – and not just against video accounts.