Daily Digit: Hackers account for 91% of login attempts at online retailers

Sam Matthews

Daily Digit is the story behind the numbers that make our world work. Today we’re looking at the seedy underbelly of online shopping. Recent reporting reveals that nearly all — 91 percent — of login attempts made at online retailers are fraudulent. The practice is called credential stuffing, and it goes something like this: A company or website will suffer a data breach that reveals users’ email addresses and passwords; criminals will purchase that information on the dark web; and then hackers will plug those credentials into various online retailers’ sites to see whether any data there matches the leaked data. Luckily, it only works about 3 percent of the time. However, the average time for a data breach to be made public is about 15 months, so by the time you find out your password has been stolen, it’s probably already too late.