Many organizations rely on myNetWatchman to protect against credential stuffing and account takeover attacks — but account security is especially critical for financial institutions (FIs). This article explores a real credential stuffing attack against a large FI, observed in real-time between June and August 2024.
It’s a High-Volume Numbers Game
Credential stuffing systematically tests exposed credential pairs to see where the same combination works elsewhere. The attack in this case study saw over 8 million unique usernames attempted in a 6-week period — not to succeed on all of them, but to identify the ones that do.
Attackers Cater to Their Targets
Bad actors know that FIs typically don’t use email addresses as usernames. Nearly all 8 million+ username attempts in this attack were non-email usernames — a deliberate adaptation to the target.
Success Rate Is Lower for FIs, but Damage Is Higher
The success rate of this attack was 0.1% — about 8,000 accounts tested successfully advanced to a 2FA prompt. This FI supported two-factor authentication but wasn’t presenting it for all logins.
Critically: even when 2FA stops a bad actor from gaining access, a successful credential test confirms the credentials are valid. Attackers can then use phishing, SIM swaps, or other techniques to gain control of the authenticating email or phone number.
You Are Rarely the First Target
86% of successful credential pairs in this attack were previously observed by myNetWatchman — they had already been seen in other credential stuffing attacks. This is typical. FIs are rarely the first target; the credentials have usually been tested elsewhere already.
You’re Often Not the First FI Either
26% of valid credentials used in this attack had previously been observed against other FIs. Fraudsters mine compromised credential datasets for non-email usernames and strong passwords — characteristics more likely to be used for online banking — then test them across multiple institutions simultaneously.
It’s Not a Matter of If, But When
FIs will see credential stuffing attacks because taking over online banking accounts is extremely valuable to fraudsters. The key is knowing when an attack is occurring, what accounts are at risk, and whether credentials are actively being tested elsewhere right now.
That kind of visibility — knowing a presented credential is not only compromised, but actively being tested against other FIs at this moment — is what transforms reactive fraud response into proactive prevention.
The mechanics of how email became the digital economy’s most consequential vulnerability, the case studies that should have changed everything, and what a continuous intelligence approach actually looks like — all documented in “The Lying Gatekeeper,” a special report from myNetWatchman.
Read the Full Report →