TL;DR: Ecommerce sites faced a mix of credential stuffing, SQL injection, local file inclusion, and DDoS pressure in 2020, with Akamai reporting 62,000 billion credential-stuffing attempts across retail, travel, and hospitality and more than 90% aimed at retail. The lesson is that identity controls, input validation, and resilient edge protections must be treated as one governance problem, not separate checkboxes.
NHIMG editorial — based on content published by GlobalSign: a review of major ecommerce security threats and how to protect sites in 2021
By the numbers:
- 90% of those attacks were aimed at the, med at the retail sector, according to Akamai.
- SQL injection accounted for 79% of the attack vectors Akamai observed against commerce, travel, and hospitality, while local file inclusion accounted for 14%.
Questions worth separating out
Q: How should ecommerce teams reduce credential stuffing without blocking legitimate customers?
A: Use layered controls that stop automation before a login succeeds.
Q: Why do reused credentials create such a large account takeover risk in retail?
A: Reused credentials turn one breach into many entry points.
Q: What breaks when SQL injection and local file inclusion are not controlled?
A: Application input becomes attacker-controlled logic.
Practitioner guidance
- Enforce bot-resistant login controls Add rate limiting, device and behaviour checks, and MFA at the account layer so credential replay is blocked before successful authentication.
- Replace vulnerable query patterns Audit database access for non-parameterised queries, unsafe string concatenation, and file-path handling that can enable SQLi or local file inclusion.
- Treat DDoS as an access signal Confirm that CDN, load-balancer, and WAF rules remain effective during volumetric attack conditions, and preserve logging so secondary exploitation attempts are still visible.
What's in the full article
GlobalSign's full post covers the operational detail this post intentionally leaves for the source:
- Practical hardening steps for ecommerce authentication flows, including stronger login assurance and admin access protection.
- Secure coding guidance for preventing SQL injection and file-inclusion paths in web applications.
- Architecture options for DDoS resilience using load balancers, CDNs, and WAFs under active attack.
- A side-by-side review of common security controls provided by different hosting setups.
👉 Read GlobalSign’s analysis of ecommerce credential stuffing, SQLi, and DDoS risk →
Credential stuffing and SQLi in ecommerce: are your controls keeping up?
Explore further
Credential reuse is still the cheapest path into digital commerce. The article’s credential-stuffing data shows that attackers do not need novel exploits when users and administrators reuse passwords across services. That makes account governance a fraud-control issue as much as an authentication issue, especially where customer accounts, support tooling, and admin consoles share the same trust boundary. Practitioners should treat reuse resistance, MFA, and bot detection as a single control plane.
A question worth separating out:
Q: Who is accountable when ecommerce availability attacks are used to hide deeper compromise?
A: Accountability should sit with the teams that own application resilience, identity controls, and incident response together, not in separate silos. When DDoS is used as cover for account takeover or injection attempts, security leadership must ensure logging, filtering, and triage still work under load. The relevant control ownership should be explicit in resilience planning.
👉 Read our full editorial: Ecommerce account takeover and injection risks are still the main threat