Akamai Security Research: Loyalty Programs Continue to be Targeted by Criminals as Account Data is Easily Sold or Traded Retail, Hospitality, Travel industries were hit with over 63 billion credential stuffing and 4 billion web application attacks in last two years
Cambridge, MA | October 21, 2020
Akamai (NASDAQ: AKAM) the intelligent edge platform for security and delivering digital experiences, today published the State of the Internet / Security report: Loyalty for Sale - Retail and Hospitality Fraud. The report details criminal activity targeting the retail, travel, and hospitality sectors with attacks of all types and sizes between July 2018 and June 2020. The report also includes numerous examples of criminal ads from the darknet illustrating how they cash in on the results from successful attacks and the corresponding data theft.
Criminals are not picky -- anything that can be accessed can be used in some way, said Steve Ragan, Akamai security researcher and author of the State of the Internet / Security report. This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft.
During the COVID-19 pandemic-related lockdowns in Q1 2020, criminals took advantage of the worldwide situation and circulated password combination lists, targeting each of the commerce industries featured in the report. It was during this time that criminals started recirculating old credential lists in an effort to identify new vulnerable accounts, leading to a significant uptick in criminal inventory and sales related to loyalty programs.
Between July 2018 and June 2020, Akamai observed more than 100 billion credential stuffing attacks in total. In the commerce category - comprising the retail, travel, and hospitality industries - there were 63,828,642,449 recorded. More than 90% of the attacks in the commerce category targeted the retail industry.
Credential stuffing isn't the only way that criminals target the retail, travel, and hospitality industries. They target organizations in these industries at the source using SQL Injection (SQLi) and Local File Inclusion (LFI) attacks. Between July 2018 and June 2020, Akamai observed 4,375,711,860 web attacks against retail, travel, and hospitality, accounting for 41% of the overall attack volume across all industries. Within this data set, 83% of those web attacks targeted the retail sector alone. SQLi attacks are an evident favorite among criminals, accounting for just under 79% of the total web application attacks against retail, travel, and hospitality.
As the global economy prepares for a holiday shopping season, it does so in an environment that has changed radically due to the pandemic. Consumers will not be standing outside of brick and mortar stores waiting for the latest deals in the same way they have in the past. They're going to log-in, collect their reward points, and maybe use loyalty programs to gain some discounts or other perks just for being a member.
Considering everything that goes into a successful loyalty program, and the information people need to provide in order to take part, the criminals have everything they need to get started in a number of crime-related ventures, from account takeovers, to straight-up identity theft. So, while an individual's loyalty to a merchant, airline, or hotel chain might not literally be for sale, there's a good chance the account associated with such programs might be.
All businesses need to adapt to external events, whether it's a pandemic, a competitor, or an active and intelligent attacker, Ragan concluded. Some of the top loyalty programs targeted require nothing more than a mobile number and a numeric password, while others rely on easily obtained information as a means of authentication. There is an urgent need for better identity controls and countermeasures to prevent attacks against APIs and server resources.
The Akamai 2020 State of the Internet / Security report, Loyalty for Sale - Retail and Hospitality Fraud is available here. In addition, Akamai will host a webinar on Thursday, October 22 at 11:00 a.m. ET where Akamai security experts discuss the findings of this latest report. To register for the webinar, visit here.
For additional information, the security community can access, engage with, and learn from Akamai's threat researchers and the insight that the Akamai Intelligent Edge Platform affords into the evolving threat landscape, visit Akamai's Threat Research Hub.
About Akamai Akamai secures and delivers digital experiences for the world's largest companies. Akamai's intelligent edge platform surrounds everything, from the enterprise to the cloud, so customers and their businesses can be fast, smart, and secure. Top brands globally rely on Akamai to help them realize competitive advantage through agile solutions that extend the power of their multi-cloud architectures. Akamai keeps decisions, apps and experiences closer to users than anyone - and attacks and threats far away. Akamai's portfolio of edge security, web and mobile performance, enterprise access and video delivery solutions is supported by unmatched customer service, analytics and 24/7/365 monitoring. To learn why the world's top brands trust Akamai, visit www.akamai.com, blogs.akamai.com, or @Akamai on Twitter. You can find our global contact information at www.akamai.com/locations.
Europe Stories
19/12/2025
With Playout Release 2025.4, ToolsOnAir continues to push professional playout w...
19/12/2025
19 Dec 2025
VEON's Mobilink Microfinance Bank Launches Islamic Banking Oper...
19/12/2025
The six-part drama, set in a close-knit Welsh town fractured by an unspeakable c...
19/12/2025
Rohde & Schwarz drives the future of mobility at CES 2026 At the 2026 Consumer Electronics Show in Las Vegas, Rohde & Schwarz will present a powerful lineup o...
19/12/2025
RT is proud to return to the RDS to support the 2026 Stripe Young Scientist & T...
18/12/2025
Canada's largest indoor arena has transformed its live production capabilities with a full ST 2110 infrastructure and Calrec's compact Argo S console. S...
18/12/2025
Long-term agreement includes the SES SCORE platform and hybrid distribution worldwide to deliver more than 5,000 hours of golf tournaments annually featuring th...
18/12/2025
18 Dec 2025
VEON Upgraded to Nasdaq Global Select Market, Enhancing Investor Visibility Dubai, December 18, 2025 - VEON Ltd. (Nasdaq: VEON), a global digital o...
18/12/2025
Thursday 18 December 2025
Sky Sports remains the exclusive home of the Masters ...
18/12/2025
Using the additive process of 3D printing, layer after layer gets printed until an object is as close to the final shape needed as possible. Historically, machi...
18/12/2025
In 2025, RT proudly supported 185 arts and cultural events across the island of Ireland, reflecting significant growth since the scheme was re-launched in 2014...
18/12/2025
RT Sports Awards 2025 live on RT One and RT Player at 8:05pm on Saturday 20 December
On Saturday 20 December live on RT One and RT Player at the earlier t...
18/12/2025
RT lyric fm presents a very special Winter Solstice edition of Ambient Orbit, l...
18/12/2025
At 7.45pm on 1st January 1926, the precursor to RT , then 2RN, delivered the fledgling new Irish state's first public radio transmission. From those first c...
18/12/2025
December 18 2025, 05:30 (PST) The Movie Experience SLO Becomes First U.S. Exhib...
17/12/2025
Investigative journalists across the Western Balkans and T rkiye continue to con...
17/12/2025
The right playlist is essential on New Year's Eve, building the energy as you get ready and keeping it high as you count down to midnight. This year, Spotif...
17/12/2025
eds3_5_jq(document).ready(function($) { $(#eds_sliderM519).chameleonSlider_2_1({...
17/12/2025
Wuppertal December 17, 2025
Riedel Builds Global Communication and Commentary ...
17/12/2025
December 17 2025, 17:00 (PST) Dolby and LG Unveil a New Era of Home Audio With ...
17/12/2025
Wednesday 17 December 2025
Heated Rivalry will be coming to Sky and streaming service NOW on 10 JanuaryTurn on cookies to view this content. Go to Privacy opti...
17/12/2025
RT has announced that Kathy Fox has been appointed Commissioning Editor with re...
17/12/2025
With the new season of Dancing with the Stars shimmering in the not-too-distant future this New Year, the celebrity and dancer pairings of the twelve couples ha...
16/12/2025
Hawkins has landed on Spotify, just in time for Stranger Things Season 5, Volume...
16/12/2025
Wherever you are, your favorite music and audio content should go seamlessly with you. That's why Spotify has partnered with NAVER Corp, Korea's leading...
16/12/2025
2025 Wrapped arrived bigger and bolder than ever. This year's experience is designed to be ultra personal and shareable, with new features like Wrapped Part...
16/12/2025
16 Dec 2025
VEON Announces Release Date for Full Year and Fourth Quarter 2025 R...
16/12/2025
16 Dec 2025
VEON's Kyivstar Invests in Renewable Energy in Ukraine with Acq...
16/12/2025
Harmonic's XOS Advanced Media Processor Improves Streaming Video Quality and Boosts Viewer Engagement SAN JOSE, Calif. - Dec. 16, 2025 - Harmonic (NASDAQ: ...
16/12/2025
RT Sport Awards 2025 live on RT One and RT Player at 8:05pm on Saturday 20 December.
On Saturday 20 December live on RT One and RT Player at the earlier t...
16/12/2025
Singer -songwriter Brian Kennedy has been announced as the final celebrity dance...
15/12/2025
Cape Town, November 13, 2025 - SES and International artist and humanitarian, Fo...
15/12/2025
Luxembourg, December 15, 2025 - SES, a leading space solutions company, and Abra Group launched fast and reliable multi-orbit inflight connectivity service on t...
15/12/2025
15 Dec 2025
VEON's Beeline Kazakhstan Delivers First Starlink Direct to Cel...
15/12/2025
Andrew Mountbatten-Windsor finds himself the topic of year's cracker jokes
Oasis, David Harbour, Celebrity Traitors and Angela Rayner all feature in this y...
15/12/2025
Comscore Expands Cross-Platform Campaign Measurement to Include Audio and Social New capabilities strengthen cross-platform campaign reporting suite; CCR rebran...
15/12/2025
RT .ie has reached one billion page views this year and is on track to finish 2025 2% ahead of last year. Average time spent on the site is up 3% on 2024, with ...
12/12/2025
Last month, Spotify announced a new collaboration with the ATP Tour, the global governing body of men's professional tennis, aimed at bringing the next gene...
12/12/2025
Friday 12 December 2025
Ted is back! Seth MacFarlane's live-action comedic ...
12/12/2025
Uachtar n na h ireann, Catherine Connolly visited RT Raidi na Gaeltachta's...
12/12/2025
Ireland AM host Eric Roberts has been revealed as the sixth contestant taking to...
11/12/2025
Thomson and the Center for News, Technology and Innovation (CNTI) convened a two-day workshop in Sarajevo bringing together more than 35 journalists, editors, p...
11/12/2025
Having the right song soundtrack your moves can make all the difference when gam...
11/12/2025
It's been a big year for Taylor Swift. Her highly anticipated album The Life...
11/12/2025
11 Dec 2025
VEON's Banglalink Receives Regulatory Approval to Launch Digita...
11/12/2025
Thursday 11 December 2025
Sky Arts paints a picture of Britain's beauty as ...
11/12/2025
It's not every day we're asked to create a website for a classical musician!
So, we were delighted to help pianist Georgina Duncan as she embarks on he...
11/12/2025
It's beginning to look a lot like Christmas!
Irish golfing hero Shane Lowry...
11/12/2025
RT Sport Awards 2025 live on RT One and RT Player at 8:05pm on Saturday 20 December
On Saturday 20 December live on RT One and RT Player at the earlier ti...
Akamai Security Research: Loyalty Programs Continue to be Targeted by Criminals as Account Data is Easily Sold or Traded Retail, Hospitality, Travel industries were hit with over 63 billion credential stuffing and 4 billion web application attacks in last two years 
