The media industry as a whole was subjected to 17 billion credential stuffing attacks over the two years between January 2018 and December 2019, accounting for a fifth of the 88 billion global total, according to a report just out from leading CDN (Content Delivery Network) provider Akamai.

Broadcast TV and video web sites experienced particularly strong rises in attacks, enduring respectively 630% and 208% year-over-year increases between 2018 and 2019. Attacks against video services rose less dramatically but still substantially by 98%, while those against online video platforms actually fell by 5%. The latter, including YouTube and Facebook Live, are less attractive targets because a lot of their content is free anyway and it includes shared material less attractive to pirates.

The Akamai 2020 State of the Internet / Credential Stuffing in the Media Industry report found that this steep rise in attacks against video sites and especially broadcast TV coincided with an explosion of on-demand media content in 2019. “In addition, two major video services launched last year with heavy support from consumer promotions. These types of sites and services are well aligned to the observed goals of the criminals who target them,” according to the report.

Credential stuffing attacks are not to be confused with credential cracking, which applies large scale brute force automated login requests where credentials are guessed. Such attacks are less successful and easier to protect against.

Credential stuffing attacks occur because so many consumers use the same combinations of username and password for accessing multiple services and web sites. This enables cybercriminals to apply credentials stolen from one web site in malicious login attempts against others with a relatively high success rate. Roughly 80% of consumers use the same password for at least two accounts while about 25% do so for virtually all their accounts, so on that basis hackers can expect a high success rate targeting popular services.

This high success rate makes credential stuffing attacks harder to combat, because they do not generate such unusual traffic profiles that can be detected via proactive monitoring. Nonetheless there are defenses that can be employed on the basis of monitoring, although it is not clear how successful they are. For that reason, Akamai recommends both that users be encouraged to apply better “credentials hygiene” by not reusing passwords, while also putting pressure on service providers to employ stronger authentication methods.

The problem is that consumers are resistant to having to use multiple passwords, while video services and web sites are reluctant to enforce say two factor security requiring users to hold a secure token or make use of their smart phones as additional factors because that might provoke churn to rivals that do not impose such barriers.

The value for hackers in media industry accounts lies in the potential access to compromised assets, like premium content, along with personal data such as credit card numbers and bank details. “We’ve observed a trend in which criminals are combining credentials from a media account with access to stolen rewards points from local restaurants and marketing the nefarious offering as ‘date night’ packages,” said Steve Ragan, Akamai security researcher and author of the report. “Once the criminals get a hold of the geographic location information in the compromised accounts, they can match them up to be sold as dinner and a movie.”

The USA was by far the top source of credential stuffing attacks against media companies with 1.1 billion in 2019, an increase of 162% over 2018, while India was the most targeted country that year, enduring 2.4 billion attacks with the USA the second most targeted at 1.4 billion.

Akamai has also reported a surge in such malicious login attempts against European video service providers and broadcasters during the first quarter of 2020. Another recent trend showing up during that quarter was a rise in the number of criminals sharing free access to newspaper accounts, reflecting the growth in paywalls in this sector. In those cases credential stuffing campaigns are conducted against the newspaper web sites to steal the working username and password combinations that are then given away for self-promotions by the cybercriminals.