[dogma1138]

A large entailer in the UK that I’ve done PCI work for 3 years ago had simmilar figures in the mid 80%, that accounts for all attempts not successful ones.

Another anecdote is that even non-compromised accounts that were not regularly used had on average 4 failed attempts before a successful login with password recovery used in more than 50% of these cases, to the point where the majority of all login attempts were failed attempts.

The “compromised” accounts were identified by using information form fraud detection services and accounts that did not complete a password recovery after multiple failed attempts as well as a few other indicators.

While I understand your skepticism you need to understand just how common this issue is.

When hackers/fraudsters get any set of credentials from a leak or phishing they try it on 100’s if not 1000’s of sites multiply it by the number of fraudsters and hacking groups that sell login details in bulk and it’s essentially the spam of the internet world.