Ransomware, cryptojacking and banking malware aside, hackers are using compromised accounts to play the fast-growing fashion resale market.

According to a new report by cloud service provider Akamai, retailers came under attack from cybercriminals more than any other industry between May 2018 and January 2019.

Retail websites were subjects to more than 10 billion credential stuffing attacks in that period. Only the video media industry came close to matching it with 8.1bn detected attempts. Financial service providers were subject to 1.1bn credential stuffing attempts.


Of those 10bn attempts, the apparel vertical accounted for close to 4bn of them. This makes apparel the most targeted area, far ahead of department stores, office supplies and commerce portals, all of which detected 1.2bn credential stuffing attempts in the same period.

Why are hackers so interested in clothes?

Nike, the world’s leading apparel brand according to Forbes, reported revenues of $34.5bn in 2018. Adidas, which trails Nike, recorded net sales of €21.2bn in 2017. According to the Akamai report, the top 10 apparel brands are worth $111.3bn combined.

However, cybercriminals aren’t interested in eating away at the profits of the world’s biggest brands. According to Akamai, hackers are instead targeting the $1bn apparel resale market.

With apparel brands increasingly using limited edition, low-quantity items to generate hype and justify higher prices, fashion can prove to be a lucrative investment for those that manage to get their hands on these items.

According to a report published by online reseller ThredUp, the second hand clothing market is expected to climb to $41 by 2022, fuelled by these luxury items.

“The techniques change, but the motivation remains the same: greed,” said Martin McKeay, Security Researcher at Akamai. “Retailers remain on the front lines, because stolen merchandise sells quickly and at a premium. And for that reason, the data shows which merchandise is of the highest value: Apparel sites are targeted the most.”

How are cybercriminals targeting the fashion resale market?

Over the years, poor cybersecurity practices have resulted in a number of large-scale data breaches involving companies and services like LinkedIn, Yahoo! and MySpace. This has resulted in a large number of credential combinations being compiled and shared among hackers and cybercriminals online. Recently, a dump of 773 email and password combinations was discovered.

According to Akamai, cybercriminals are using these data collections to perform credential stuffing on retail websites. This involves trying a large number of email and password combinations in the hopes of gaining access to an account. Even if the data wasn’t stolen from the website in question, many people continue to use the same password on numerous services, leaving these accounts vulnerable to take over.

This credential stuffing is typically performed by bots. In this case, All-In-One bots (AIOs) are used which are capable of performing a range of tasks.

If an account is breached, the bot is then set to take over the account to utilise for a range of purposes.

Existing, regular customers are often given priority over new customers on the purchase of limited edition items. With the ability to buy up large amounts of these products, knowing that the price will increase by hundreds, if not thousands of dollars on the fashion resale market, this can prove a lucrative opportunity for hackers.

Given that no money is being stolen, this practice often goes unnoticed. To the retailer, it simply appears that their products are in high demand.

So should retailers care?

With no financial loss, given these cybercriminals are making their money on the fashion resale market, it would be easy for retailers to ignore this issue. However, failing to deal with AIOs denies the brand valuable opportunities to engage with its customers. With customers unable to get the products that they want, they may turn to other apparel retailers for their fashion purchases.

Likewise, while the retailer may not have been responsible for the initial data breach, hackers will often use credential stuffing to gain further information on the account owner. While a data breach may only result in the leak of a password and email combination, gaining access to a retail account could potentially hand hackers compromising information such as bank account details, addresses and contact details.

According to research from digital security company Gemalto, 70% of consumers would stop doing business with a brand in the wake of a data breach, which shows just how important it is for businesses to protect their customers.