Stolen Credentials and the 60-Second Phishing Trap: Key Findings from the 2024 DBIR
It’s always an exciting time of year when the new Verizon Data Breach Investigation Report (DBIR) drops. And this year was no exception. The DBIR is an annual report that analyzes security incidents and data breaches from the past year. And it is often our greatest opportunity to analyze real-world attack data on a large scale. Key findings from the this year’s report include:
- Analyzed 30,458 security incidents, of which 10,626 were confirmed data breaches, across 94 countries. This is a record high.
- Exploitation of vulnerabilities nearly tripled from last year, largely due to attacks leveraging zero-day vulnerabilities like the one affecting MOVEit file transfer software.
- Ransomware and extortion together accounted for 32% of breaches, a strong growth from last year. Ransomware alone was present in 23% of breaches.
- The human element was involved in 68% of breaches, similar to last year, mostly driven by error-related breaches and phishing/extortion attacks.
- 15% of breaches involved a third-party, a 68% increase, mostly due to zero-day exploits used for ransomware and extortion. This highlights the recent focus on supply chain attacks.
- Errors accounted for 28% of breaches as new mandatory breach notification contributors were added. This could include something as simple as an employee sending information to the wrong recipient on accident.
- Financially motivated threat actors continue to rely heavily on ransomware, extortion, and business email compromise.
- Median time for users to fall for phishing emails is less than 60 seconds. This statistic is rather alarming and includes the fact that the median time to click a phishing link after opening an email was only 21 seconds and 28 seconds later they’ve entered data that would be compromised.
The report also emphasizes password security and user authentication which we have focused on recently. A few key authentication takeaways from the DBIR are:
- Stolen credentials continue to be a significant issue. Over the past 10 years, stolen credentials have appeared in almost one-third (31%) of breaches, making them a core component of compromising organizations and emphasizing the need for strong unique passwords and MFA.
- Brute force attacks, where threat actors attempt to guess passwords, accounted for only 2% of breaches this year. This suggests that implementing basic password complexity and length requirements, as well as login attempt limiting, can help mitigate this threat.
- Credential stuffing, where attackers use lists of known username/password combinations from previous breaches, is becoming a more prominent threat, especially for organizations with a high number of customer-facing web applications and APIs. Again emphasizing the need for strong unique passwords and MFA.
- Malware that steals passwords, while not appearing frequently in the dataset (2% of breaches), is still a concern. An analysis of credential markets found over a thousand credentials per day being posted for sale, with 65% posted less than one day after collection.
- When examining breaches in the Financial and Insurance industry, the use of stolen credentials was very common, boosting the overall percentage of financially motivated breaches to 95%.
- The report recommends multi-factor authentication (MFA) as a key mitigation against credential-based attacks, noting that “MFA goes a long way toward mitigating these types of attacks.”
Overall, the DBIR highlights that while strong password policies are important, stolen credentials remain a persistent threat. Organizations should look beyond password complexity to controls like multi-factor authentication, passkeys, and FIDO2 to reduce the risk of compromise through stolen credentials.