← Return to Blog

28 Sep, 2020

FBI Ties Recent Bank Hacks to “Credential-Stuffing”

Insight from BankOnIT.

The FBI is raising a sign of alarm about the rising number of credential-stuffing attacks targeting financial institutions.

Credential-stuffing hacks accounted for the greatest volume (41 percent) of security incidents against the financial sector in the last three years. That’s according to a report the FBI cited in the special notice it issued to the banking industry in September.

It refers to a type of automated attack where hackers take collections of usernames and passwords that leaked online via data breaches at other companies and try them against accounts at other online services. These attacks aim to identify accounts where users reused passwords and then gain unauthorized access over the user's profile and attached resources.

FBI officials said that many of these attacks targeted application programming interfaces (APIs) since these systems are "less likely to require multi-factor authentication (MFA)" and are less monitored than user-facing login systems.

In one case, a small group of cyber criminals last year targeted a financial services institution and three of its clients, resulting in the compromise of more than 4,000 online banking accounts. In a case study of one of the firms, security researchers identified more than 1,500 email addresses and 6,000 passwords exposed in more than 80 data breaches. Some of the credentials belonged to company leadership, system administrators and other employees with privileged access.

The cost is real. Credential-stuffing attacks cost an affected business an average of $6 million per year, which excludes costs associated with fraud, according to a 2019 international study conducted by a U.S.-based research center.

Credential stuffing attacks weren't always an issue, but they became one in the late 2010s after hackers leaked billions of usernames and password combinations from hundreds of companies over the past five years.

According to a 2020 survey conducted by a data-analytics firm, nearly 60 percent of respondents reported using one or more passwords across multiple accounts.

The attackers masquerade as legitimate account holders and bank employees to submit fraudulent transactions, including money transfers, bill payments, and credit-card reward points purchases. Credential-stuffing also caused losses from business costs associated with reputation value, customer notification, system downtime and remediation.


  • An unusually high number of failed logins from a diverse range of IP addresses via the online account portal.
  • A higher than usual lockout rate and/or an influx of customer calls regarding account lockouts.


  • Advise customers and employees to use unique passwords they are not using for any other accounts and to change their passwords regularly.
  • Use anomaly-detection tools that identify an unusual increase in traffic and failed authentication attempts.

BankOnIT is a managed service provider with private-cloud technology and security designed exclusively for the financial-services industry. They serve more than 200 banks across the nation.

www.BankOnITUSA.com 800-498-8877

← Return to Blog


This publication attempts to provide timely and accurate information concerning the subjects discussed. It is furnished with the understanding that it does not provide legal or other professional services. If legal or other expert assistance is required, the services of a qualified professional should be obtained.

Related Posts