Welcome to the dedicated Executive Summary for our 2023 Identity Threat Report. Here we’ve brought together the bullet-list style summary that opens the full report, as well as a few curated selections and charts to get immediately to the “what do I need to know” of it all.

And of course, if you want to dive into the details and the “why” and “how” behind today’s threats to identity, you can jump over to the full report, or download the PDF. Both of them are one click away – we hate walling off content as much as you hate giving fake info just to read a report.

Executive Summary

• Threats to digital identities are continuous in nature, widespread in targeting, and progressive in their evolution.
• The average proportion of credential stuffing in unmitigated traffic for sampled organizations across all sectors was 19.4%.
• Post-mitigation, the average rate of credential stuffing was 6.0%.
• Mobile endpoints generally see higher rates of automation pre-mitigation than web endpoints.
• Travel, telecommunications, and technology firms experienced higher credential stuffing rates than other sectors.
• While authentication endpoints see higher traffic and automation rates than account management endpoints, account management endpoints serve critical roles for attackers, such as the creation of canary accounts and facilitation attacks for information gain.
• 65% of credential stuffing traffic was composed of unsophisticated HTTP requests with no browser or user emulation.
• Around 20% of malicious automation traffic on authentication endpoints was sophisticated, in that it successfully emulated human behavior on a real browser, including mouse movements and keystrokes.
• Aggregators, which play a significant role in several industries such as finance, can be both a source of noise in terms of detecting malicious automation, as well as a vector in their own right for attackers.
• Many organizations use authentication success rate to identify unwanted automation, but aggregator and canary account traffic can make authentication success rate metrics unreliable.
• The phishing industry has matured, with phishing kits and services driving down the requisite technical expertise and cost.
• Phishing appears to target financial organizations and large-scale/federated identity providers such as Microsoft, Facebook, Google, and Apple the most.
• Reverse phishing proxies, also known as real-time phishing proxies or man-in-the-middle (MITM) phishing, have become the standard approach. These proxies can harvest session cookies and defeat most multi-factor authentication (MFA).
• Detection evasion tools that defeat capabilities such as Google Safe Browsing are also a high priority for phishing.
• Multi-factor authentication bypass techniques have become more common, with successful strategies based on malware, phishing, and other social engineering vectors observed.
• Multi-factor authentication technologies based on public key cryptography (such as the FIDO2 suite of protocols) are significantly more resistant to observed MFA bypass techniques.

Credential Stuffing

Credential stuffing is a numbers game. It hinges on the fact that people reuse passwords, but the likelihood that any single publicly compromised password will work on another single web property is still small. Making credential stuffing profitable is all about maximizing the number of attempts, and that means it is also all about automation.

Prevalence

Quantifying the prevalence of credential stuffing across multiple different organizations is difficult because credential stuffing attacks against a single organization often occur in intense waves, then subside to a lower baseline level for some time. With that said, Figure 1 shows the daily mean proportion (with 95% confidence interval) of malicious automated traffic against the authentication surfaces of 159 customers.