Akamai Security Research: Loyalty Programs Continue to be Targeted by Criminals as Account Data is Easily Sold or Traded Retail, Hospitality, Travel industries were hit with over 63 billion credential stuffing and 4 billion web application attacks in last two years
Cambridge, MA | October 21, 2020
Akamai (NASDAQ: AKAM) the intelligent edge platform for security and delivering digital experiences, today published the State of the Internet / Security report: Loyalty for Sale - Retail and Hospitality Fraud. The report details criminal activity targeting the retail, travel, and hospitality sectors with attacks of all types and sizes between July 2018 and June 2020. The report also includes numerous examples of criminal ads from the darknet illustrating how they cash in on the results from successful attacks and the corresponding data theft.
Criminals are not picky -- anything that can be accessed can be used in some way, said Steve Ragan, Akamai security researcher and author of the State of the Internet / Security report. This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft.
During the COVID-19 pandemic-related lockdowns in Q1 2020, criminals took advantage of the worldwide situation and circulated password combination lists, targeting each of the commerce industries featured in the report. It was during this time that criminals started recirculating old credential lists in an effort to identify new vulnerable accounts, leading to a significant uptick in criminal inventory and sales related to loyalty programs.
Between July 2018 and June 2020, Akamai observed more than 100 billion credential stuffing attacks in total. In the commerce category - comprising the retail, travel, and hospitality industries - there were 63,828,642,449 recorded. More than 90% of the attacks in the commerce category targeted the retail industry.
Credential stuffing isn't the only way that criminals target the retail, travel, and hospitality industries. They target organizations in these industries at the source using SQL Injection (SQLi) and Local File Inclusion (LFI) attacks. Between July 2018 and June 2020, Akamai observed 4,375,711,860 web attacks against retail, travel, and hospitality, accounting for 41% of the overall attack volume across all industries. Within this data set, 83% of those web attacks targeted the retail sector alone. SQLi attacks are an evident favorite among criminals, accounting for just under 79% of the total web application attacks against retail, travel, and hospitality.
As the global economy prepares for a holiday shopping season, it does so in an environment that has changed radically due to the pandemic. Consumers will not be standing outside of brick and mortar stores waiting for the latest deals in the same way they have in the past. They're going to log-in, collect their reward points, and maybe use loyalty programs to gain some discounts or other perks just for being a member.
Considering everything that goes into a successful loyalty program, and the information people need to provide in order to take part, the criminals have everything they need to get started in a number of crime-related ventures, from account takeovers, to straight-up identity theft. So, while an individual's loyalty to a merchant, airline, or hotel chain might not literally be for sale, there's a good chance the account associated with such programs might be.
All businesses need to adapt to external events, whether it's a pandemic, a competitor, or an active and intelligent attacker, Ragan concluded. Some of the top loyalty programs targeted require nothing more than a mobile number and a numeric password, while others rely on easily obtained information as a means of authentication. There is an urgent need for better identity controls and countermeasures to prevent attacks against APIs and server resources.
The Akamai 2020 State of the Internet / Security report, Loyalty for Sale - Retail and Hospitality Fraud is available here. In addition, Akamai will host a webinar on Thursday, October 22 at 11:00 a.m. ET where Akamai security experts discuss the findings of this latest report. To register for the webinar, visit here.
For additional information, the security community can access, engage with, and learn from Akamai's threat researchers and the insight that the Akamai Intelligent Edge Platform affords into the evolving threat landscape, visit Akamai's Threat Research Hub.
About Akamai Akamai secures and delivers digital experiences for the world's largest companies. Akamai's intelligent edge platform surrounds everything, from the enterprise to the cloud, so customers and their businesses can be fast, smart, and secure. Top brands globally rely on Akamai to help them realize competitive advantage through agile solutions that extend the power of their multi-cloud architectures. Akamai keeps decisions, apps and experiences closer to users than anyone - and attacks and threats far away. Akamai's portfolio of edge security, web and mobile performance, enterprise access and video delivery solutions is supported by unmatched customer service, analytics and 24/7/365 monitoring. To learn why the world's top brands trust Akamai, visit www.akamai.com, blogs.akamai.com, or @Akamai on Twitter. You can find our global contact information at www.akamai.com/locations.
Europe Stories
05/01/2027
Worlds first 802.15.4ab-UWB chip verified by Calterah and Rohde & Schwarz to be ...
06/09/2026
June 9 2026, 23:00 (PDT) Dolby and MagentaTV Bring Fans Closer to the FIFA Worl...
04/08/2026
Dalet, a leading technology and service provider for media-rich organizations, t...
04/07/2026
April 7 2026, 19:00 (PDT) Detective Conan: Fallen Angel of the Highway Opens in...
11/06/2026
As podcast formats evolve in the streaming era, podcasting needs updated, transp...
11/06/2026
As Spotify's global RADAR program enters its sixth year in Italy, a new class of artists is stepping into the spotlight. Today, we're announcing the six...
11/06/2026
Pride Month is a time for celebration, reflection, and amplifying the diverse stories and perspectives from the LGBTQIA+ community that enrich our world. To hel...
11/06/2026
First in new line of muted string libraries
VSL have just announced the launch of two new string libraries that represent the first two instalments in a new...
11/06/2026
New colour option for 61-key Launchkey MK4
At Superbooth 2025, Novation introduced the Launchkey Mini 37 White and Launchkey 49 White, bringing an additiona...
11/06/2026
Larger, but still compact!
Arturia's popular compact MIDI controller keyboard is now available in a, well, slightly less compact version! The new MiniLa...
11/06/2026
Eurosatory 2026: Rohde & Schwarz shapes the new-generation battlefield Rohde & Schwarz unveils next generation SIGINT/EW and CUAS solutions on uncrewed system...
11/06/2026
Rohde & Schwarz unveils NEMACS - Directional, ultra secure connectivity for the ...
11/06/2026
Thursday 11 June 2026
Daisy May Cooper rallies the nation ahead of ICC Women's T20 World CupTurn on cookies to view this content. Go to Privacy options and...
11/06/2026
Summer solstice shows from C il House and Late Date from 9pm on Saturday 20 Jun...
10/06/2026
Get Hands-On with Interfaces & Mic Preamp Brands
If youre after a new interface or preamp, then GearExpo UK is the place to be! Well have a whole host of au...
10/06/2026
November 13-14 2026, The Midway, San Francisco
Following their recent rebranding, MONO Music Conference (formerly Music Expo) have officially announced thei...
10/06/2026
Debut instrument free for limited time
deFORM is the debut release from newly founded developer ebbandflow, and it's being offered as a free download fo...
10/06/2026
Rohde & Schwarz and TRUMPF advance laser-based drone defense with THORIS LCS Rohde & Schwarz is showcasing THORIS at ILA 2026: A sovereign, end to end counter...
10/06/2026
MAHLE and Rohde & Schwarz develop application for sensor testing of modern drive...
10/06/2026
10 Jun 2026
VEON's Banglalink Brings Every World Cup 2026 Match to Football...
10/06/2026
Wednesday 10 June 2026
How to watch every ICC Women's T20 World Cup 2026 match live on Sky Sports
Where is the ICC Women's T20 World Cup 2026 availabl...
10/06/2026
Wednesday 10 June 2026
P RLA brings first-ever Beautifully Clean Oral Care'...
10/06/2026
Wednesday 10 June 2026
Sky reveals pulse-pounding first teaser trailer for upco...
10/06/2026
Wuppertal June 10, 2026
Riedel Artist at the Heart of the 14th World Live Neurovascular ConferenceAt the 14th World Live Neurovascular Conference (WLNC) in Li...
09/06/2026
Last month, Spotify hosted PURE FLOWERS LIVE, a special event celebrating the re...
09/06/2026
Last month, RADAR U.K. artist Skye Newman took the stage in East London for a sp...
09/06/2026
Company to cease operating on 30 June 2026
Australian loudspeaker and amplifier manufacturer Wayne Jones Audio have announced that after much consideration,...
09/06/2026
Increases low-end weight and character
The latest plug-in release from Sheffield-based fedDSP aims to offer an all-in-one solution for users in search of mo...
09/06/2026
Introduces AI Studio Assistant, Moises Studio integration & more
Fender Studio have just announced the launch a significant update that brings an array of n...
09/06/2026
The BBC has found its Hercule Poirot.
After Deadline revealed last month that t...
09/06/2026
Filming to take place in Holmfirth
9th June 2026, London: U&GOLD is heading bac...
09/06/2026
X-Rite Pantone Launches Offset360 to Modernize Color Control Across Existing Pre...
09/06/2026
09 Jun 2026
VEON Appoints Serkan Ozturk as Chief of Staff & Strategy Officer Dubai and New York, June 9, 2026 - VEON Ltd. (NASDAQ: VEON), a global digital oper...
09/06/2026
Tuesday 9 June 2026
Katie Price: Nothing to Hide, a candid and unfiltered accou...
09/06/2026
Enni Continues to Rely on Arvato Systems - And Will Be Using AEP.EnerS4 Billing Solution
Arvato Systems to implement transformation project for SAP S/4HANA Ut...
09/06/2026
These special programmes will highlight RT 's connection with the Irish diaspora
This year, RT is marking 100 years of public broadcasting in Ireland with...
08/06/2026
At Spotify, our commitment to the LGBTQIA community is year-round. Through GLOW, our global music program, we celebrate and amplify the contributions of queer ...
08/06/2026
Get Hands-on With Keyboard & Synth Brands
GearExpo UK wouldn't be complete without some synth action, and we've got some of the industry's most ...
08/06/2026
50 popular in-ear monitoring system profiles added
The latest update for IK Multimedia's headphone-correction system has just arrived, and introduces ca...
08/06/2026
Manny Marroquin signature cans upgraded with SLAM Technology
The flagship model in Audeze's Manny Marroquin Signature Series has just been treated to an...
08/06/2026
Air domain supremacy redefined - New counter UAS, space solutions and directiona...
08/06/2026
he BBC and BritBox have announced that Edward Bluemel (We Might Regret This, My ...
08/06/2026
Plus, 20% off TVs ahead of kick-offMonday 8 June 2026
Sky introduces Real Time...
08/06/2026
FOX Secures Live NFL Game Package in Mexico Starting in Fall 2026 Agreement Features Thursday Night Football, Sunday Games Package, Thanksgiving Day Games, al...
08/06/2026
FOX One, FOX Sports and Indeed Name Austin Franklin and Kevin Akoto as FOX One C...
08/06/2026
Meet us on the show floor
Stand #286310 Discover Nara, the media management tool used by major facilities including Harbor and Molinare.
Nara v2 introduces re...
08/06/2026
L'art de l'Image dans Reflet dans un diamant mort' Une conversation avec le directeur de la photographie Manuel Dacosse, SBC et l' talonneur Pe...
08/06/2026
Embracing today's modern media workflows: FilmLight presents Nara 2.0, with FilmLight API Designed to support the growing demands of today's production ...
Akamai Security Research: Loyalty Programs Continue to be Targeted by Criminals as Account Data is Easily Sold or Traded Retail, Hospitality, Travel industries were hit with over 63 billion credential stuffing and 4 billion web application attacks in last two years 
