Shape is
In the News

Shape has continued to make headlines since emerging from stealth
due to the company’s innovative service and industry expertise.

Recent Headlines


The Morning Download: Global Cyberattacks Put Pressure on CISOs, CIOs

May 15, 2017 / Steve Rosenbush, Wall Street Journal

"...organizations should not act out the old adage that the CISO’s primary job is to get fired when something goes wrong, in this case."

Apple ransom highlights danger of credential stuffing

April 7, 2017 / Seth Rosenblatt, Bloomberg

"Credential-stuffing attacks are not rare. They account for more than 90 percent of the Internet traffic to log-in pages at major services, Shape Security’s Ghosemajumder says."

These Are the 50 Most Promising Startups You’ve Never Heard Of

March 6, 2017 / Ellen Huet, Bloomberg

"Quid looked at more than 50,000 companies and chose 50 it deemed the most promising."

Cloudflare Bug Spills Private Data Online

February 27, 2017 / Phil Muncaster, Infosecurity

"This incident has many people suggesting that everyone in the world should change all of their passwords immediately"

AI isn't just for the good guys anymore

February 1, 2017 / Maria Korolov, CSO Online

"Criminals are already using image recognition technology, in combination with "Captcha farms," to by-pass this security measure"

3+ billion credential breaches in 2016 – 2% success rate

January 24, 2017 / Ray Shaw, ITWire

"In 2011, while serving as deputy assistant secretary of defence at the Pentagon, Shape Security co-founder Sumit Agarwal observed a rising trend in the volume and complexity of automated attacks on Web and mobile applications. "

Credential-Stuffing Schemes Rely on Recycled Login Information

January 19, 2017 / Larry Loeb, Security Intelligence

"On most websites, users enter their email addresses in lieu of user IDs, so cybercriminals often need only to crack a victim’s password once to gain entry to several of his or her accounts."

Credential-Stuffing Attacks Take Enterprise Systems By Storm

January 17, 2017 / Ericka Chickowski, Dark Reading

"A study out today from Shape Security shows that it's common for credential-stuffing login attempts to account for more than 90% of all login activity on Internet-facing systems at Fortune 100 firms."

Credential Stuffing: a Successful and Growing Attack Methodology

January 17, 2017 / Kevin Townsend, Security Week

"Now consider credential stuffing. The term was coined by Shape Security co-founder Sumit Agarwal when he was serving as Deputy Assistant Secretary of Defense at the Pentagon."

Credential-stuffers enjoy up to 2% attack success rate - report

January 17, 2017 / John Leyden, The Register

"Hackers achieve a success rate of 0.1 to 2 per cent when reusing stolen credentials to access other sites, according to a new study by Shape Security."

Hacker Grabs Data on 1.5 Million ESEA Gamers, Demands 100K Ransom

January 10, 2017 / Kevin Townsend, Security Week

"According to figures from Shape Security, at least 11 gaming organizations suffered credential leaks last year."

Though information security isn't always convenient, ignoring it is worse

December 19, 2016 / Roger Yu, ThirdCertainty

"A botnet is very efficient at testing a stolen logon at dozens of different accounts to access as many as possible."

You Could Have a Yahoo Account and Not Know It

December 19, 2016 / Alyssa Newcomb, NBC News

"The real issue now is that these passwords will be used to breach thousands of other websites unrelated to Yahoo, as cybercriminals use advanced automated tools to discover where users have used those same passwords on other sites," Shuman Ghosemajumder, chief technology officer of Shape Security, told NBC News.

IT Professionals Hold Little Back in Reaction to Yahoo Breach

December 16, 2016 / Chris Preimesberger, eWEEK

"The real issue now is that these passwords will be used to breach thousands of other websites unrelated to Yahoo, as cybercriminals use advanced automated tools (like Sentry MBA) to discover where users have used those same passwords on other sites, through credential stuffing attacks, the most common attacks on web applications and APIs today."

Why hundreds of websites went down on Friday and why outages will keep happening

December 16, 2016 / Laura Hautala, CNET

"There's no sign in a computer saying, 'Haha, we're the Russians -- we did it!'"

Got a hacked Yahoo account? Here's what you should do

December 15, 2016 / CNN, Hartford Business

"People who create a really strong password for one site but then use it across others are vulnerable to attacks"

Yahoo sets hack record at 1 billion accounts

December 15, 2016 / Debapriya Dutta, HNGN

"When entities have mediocre security hygiene, they inevitably end up having lost the keys to a much larger kingdom than we originally thought,"

1 Billion Users Exposed In Another Record Breach From Yahoo

December 15, 2016 / Jai Vijayan, Dark Reading

“Unless you have a secondary email account registered with that account, which most Yahoo users likely do not, there is no good mechanism to force a password reset without effectively locking many users out of their accounts permanently,”

One billion users affected in newly revealed Yahoo hack

December 15, 2016 / Zeljka Zorz, HelpNet Security

"this most recent credential spill at one of the world’s largest email providers further exacerbates the risk of millions of accounts being taken over at thousands of other major websites."

Got a hacked Yahoo account? Here's what you should do

December 15, 2016 / Sherisse Pham, CNN Tech

"Hackers obtained more than just names and passwords in the Yahoo breach -- they also nabbed answers to security questions. Cybercriminals can use that info to conduct automated attacks called 'credential stuffing.'"

Yahoo confirms more than one billion accounts compromised in massive data breach

December 14, 2016 / James Rogers, Fox News

"This breach makes the job of cybercriminals that much easier"

How to Keep Cyberattack Encounters from Becoming Infections

November 3, 2016 / Staff, Cascade Business

"By understanding user behavior, many companies are learning to spot and deflect sophisticated automated attacks (including credential stuffing, content scraping or application DDoS) before companies are struck by fraud."

Why hundreds of websites went down on Friday and why outages will keep happening

October 24, 2016 / Shuman Ghosemajumder, ReCode

"Dyn’s service disruption was yet another demonstration of how attacks on various critical points on the Internet can impact millions of users, and how vulnerable those points may currently be."

Major DDoS Attack Disables Websites Across the U.S.

October 24, 2016 / Jeff Goldman, eSecurity Planet

"The outage on Dyn customers is yet another demonstration of how attacks on various critical points on the Internet can affect large numbers of users..."

Connected devices create millions of cyber security weak spots

October 23, 2016 / Hannah Kuchler, Financial Times

"Internet of Things’ excitement marred by vulnerability to hacking attacks"

FT explainer: what just hit the internet?

October 21, 2016 / Hannah Kuchler, Financial Times

"Attack on company with fewer than 500 employees causes massive disruption"

Double whammy: Twin cyber attacks disrupt Twitter, Netflix, Spotify service

October 21, 2016 / Robert Verger, Fox News

"while DDoS attacks aren't a new phenomenon, some attacks have had 'unprecedented volume recently.'"

How is Wikileak's publishing files even after Assange's Internet was cut?

October 18, 2016 / Robert Verger, Fox News

"If there are other people in the WikiLeaks organization with access to the same documents and a protocol to operate if they cannot communicate with him, there's no need for a ‘digital’ dead man's switch"

The Yahoo hack - a numbers game

October 18, 2016 / Bob Tarzey, InfoSecurity Magazine

"Testing passwords against email addresses has been termed ‘credential cracking’ in a new handbook from OWASP (the Open Web Application Security Project)"

Password breach could have ripple effects well beyond Yahoo

October 1, 2016 / Associated Press, SF Gate

"Data breaches on the scale of Yahoo are the security equivalent of ecological disasters"

Security Chiefs and Hackers Race to Benefit from AI Prize

October 5, 2016 / Hannah Kuchler, Financial Times

"We’re looking at hundreds of different signals to analyse the ways that real human activity should look in every single transaction."

How To Outsmart Hackers

October 3, 2016 / Sumit Agarwal,

"If you’re one of the 500 million people whose Yahoo! accounts were breached, you are now being actively targeted."

EDBI participates in series D round of cybersecurity startup Shape Security

September 30, 2016 / Kajal Joshi, The Tech Portal

"Automated threats are responsible for millions in fraud losses per day"

Shape Security Announces Partnership With Hewlett-Packard Pathfinder

September 29, 2016 / Arthur Zaczkiewicz, Women's Wear Daily

"Shape Security Announces Partnership With Hewlett-Packard Pathfinder. The security provider will accelerate its growth due to its latest round of investments."

As Online Sales Grow, So Does Cyberfraud

September 29, 2016 / Dave Moran, PYMNTS

"One of the unintended consequences in the rise of eCommerce is a related rise in cyberfraud attacks on online shoppers."

Shape Security raises $40 million, lands HPE as partner, investor

September 29, 2016 / Larry Dignan, ZDNet

"Shape Security raises $40 million, lands HPE as partner, investor."

Shape Security gears up for Asia-Pacific push with $40M funding

September 29, 2016 / Gina Hall, Silicon Valley Business Journal

"Cybersecurity startup Shape Security raised $40 million in funding on Thursday to expand sales in the U.S. and internationally."

Shape Security raises $40M to fight cyber attacks with machine learning

September 29, 2016 / Eric David, SiliconANGLE

"Today’s top three cybersecurity threats are not manual attacks like in the olden days of hackers, but rather automated attacks that are difficult to stop."

Shape Security Raises $40M to Expand Its Global Reach

September 29, 2016 / Sean Michael Kerner, eWEEK

"Shape Security is now protecting 20 percent of the world's in-store mobile payments."

Cybersecurity startup Shape Security closes $40 million round from HPE, GV, Eric Schmidt, others

September 29, 2016 / Paul Sawers, VentureBeat

"The growing concern over online security is leading to a growing investment in cybersecurity platforms."

Yahoo Breach Raises Questions About Password Resets

September 28, 2016 / Angus Loten, WSJ

"Yahoo likely faced a dilemma in efforts to reset user passwords following the breach."

Senators call Yahoo's delay in revealing breach of 500m accounts 'unacceptable'

September 27, 2016 / Reuters and Associated Press, theguardian

"Six lawmakers question why it took Yahoo two years to discover breach as experts warn of the implications of the record-breaking haul of password data."

Yahoo Breach May Have Led to ‘Credential Stuffing’

September 27, 2016 / Richard Horgan, Adweek

"A password can be changed, after all, but how do you change your mother's maiden name"

Internet security crisis as experts warn Yahoo password breach could have 'ripple effects' for millions

September 27, 2016 / AP, Daily Mail

"As investors and investigators weigh the damage of Yahoo's massive breach to the internet icon, information security experts worry that the record-breaking haul of password data could be used to open locks up and down the web."

Yahoo Data Breach Could Have Effects That Extend Beyond Email, Experts Warn

September 27, 2016 / Brian Ang, TechTimes

"Hacked passwords that are transacted in darknet domains usually end up in password databases. This is where the big problem arises."

Password breach could have ripple effects well beyond Yahoo

September 27, 2016 / Raphael Satter, AP

"A big worry is a cybercriminal technique known as "credential stuffing," which works by throwing leaked username and password combinations at a series of websites in an effort to break in"

Security Industry Reactions to the Yahoo! Breach

September 27, 2016 / Cyberwire

"Credential spills are one of the most widespread, yet misunderstood, security breaches."

500 Million Yahoo Accounts Have Been Hacked

September 24, 2016 / Zohair, Security Gladiators

"A cybercriminal using 500 million passwords to attempt to take over accounts on another website would be able to take over tens of thousands of accounts on most other websites."

Is the Yahoo Hack a Threat to the Verizon Deal?

September 23, 2016 / Emily Chang, Bloomberg West

"Top five biggest hack of all time."

Yahoo confirms 500 million accounts compromised in huge data breach

September 22, 2016 / James Rogers, Fox News

"The real issue now is that these passwords will be used to breach thousands of other websites unrelated to Yahoo."

Yahoo hit in worst hack ever, 500 million accounts swiped

September 22, 2016 / Alfred Ng, CNET

"We typically see a 0.1% to 2% login success rate from credential stuffing attacks, meaning that a cybercriminal using 500 million passwords to attempt to take over accounts on another website would be able to take over tens of thousands of accounts on most websites"

Yahoo Breach of 500M Accounts Among the Biggest of All-Time

September 23, 2016 / Alyssa Newcomb, NBC News

"This cycle [of credential spills] is typical, but the scale is pretty astounding"

500 Million Yahoo Accounts Have Been Hacked

September 22, 2016 / Blake Montgomery, Buzzfeed

"cybercriminals use advanced automated tools to discover where users have used those same passwords on other sites."

The Morning Download: Massive Yahoo Breach Endangers Thousands of Other Websites

September 23, 2016 / Steve Rosenbush, Wall Street Journal

"The real issue is what will happen next with these passwords."

Russian hackers accused of targeting 85 top companies, Apple Pay included

September 23, 2016 / Sead Fadilpasic, ITProPortal

"In the case of credential stuffing, the most commonly used standalone management tool we have observed enabling attacks is called Sentry MBA"

Russian hackers targeting 85 top companies including Amazon, Apple Pay and Steam

September 23, 2016 / India Ashok, International Business Times

"The hackers are believed to have been stealing user credentials from around 85 companies, including Amazon, American Airlines, Apple Pay, AT&T, Best Buy, DropBox, Dunkin' Donuts, Ebay, GoDaddy,, McDonald's, Office Depot, PayPal, Pizza Hut, Steam, Uber and Wells Fargo."

The InfoQ Podcast: Shuman Ghosemajumder on Security and Cybercrime

August 1, 2016 / Barry Burd, InfoQ

"Cybercriminals are getting creative, and coming up with ways to interact with websites we haven't thought of before."

How to Get Identity Authentication Right

April 13, 2016 / eSecurity Planet

"If you lack the resources to integrate your own security solution from the various point products on the market, Care recommended using a "one stop shop" solution that uses Layer 1 (endpoint) and Layer 3 (user data)."

Sentry MBA makes credential stuffing attacks easy and cheap

March 17, 2016 / CSO

"A new report released by Shape Security yesterday details how the Sentry MBA tool makes credential stuffing attacks more widely available to cybercriminals."

Sentry MBA Uses Credential Stuffing to Hack Sites

March 9, 2016 / eWeek

"Shape Security warns of the growing threat of the hacking tool, which is able to bypass many modern IT defenses."

Beware of automated credential-stuffing attacks, says vendor

March 9, 2016 / IT World Canada

"Shape Security, a California-based Web security firm, warned that the tool is an example of how cybercrime is increasingly compartmentalized and commoditized."

You know how we're all supposed to automate now? Dark web devs were listening

March 2, 2016 / The Register

"RSA 2016 Security researchers have thrown the spotlight on a popular cybercrime tool that’s used by crooks to automate the process of taking over accounts on major websites before making fraudulent purchases."

Obama's $19B cybersecurity plan takes aim at cybercrime, underscores skills gap

February 12, 2016 / TechTarget

"It demonstrates the urgent need for nationwide support and coordination at the highest levels on cybersecurity issues"

Cybersecurity Startup Shape Security Grabs $25 Million for China Expansion

January 13, 2016 / The Wall Street Journal

"Baseline Ventures led the investment in the company that targets attacks led by bots."

Shape Security Raises $25 Million to Expand "Botwall" Technology

January 13, 2016 / SecurityWeek

"Shape's "Botwall" technology helps protect websites and mobile apps against automated attacks conducted by threat actors that use automation."

Shape Security Brings Its Bot-Blinding Technology to Mobile Apps

January 13, 2016 / Re/code

"The same tricks that make attack bots blind on the Web are now blinding them when they attack mobile APIs."

Shape Security raises $25 million in funding, eyes China expansion

January 13, 2016 / ZDNet

"Shape counts airlines, financial services companies, retailers and government entities as customers."

Fraud focus: Shape Security raises $25 million

January 13, 2016 / Internet RETAILER

"Shape's software aims to inform retailers about whether attackers targeting them have targeted them in the past and to detect and prevent future attacks."

Over 6 Million Kids Profiles Accessed in VTech Hack

December 2, 2015 / SecurityWeek

"VTech apparently had almost nothing in the way of security on their web application…"

The Grinch Who Exposed Your Kids' Identities

December 1, 2015 / InformationWeek DarkReading

"This attacker hasn't shared the data, but there's no way of knowing whether other attackers may have already obtained the same data…"

How Bots Hijack Holiday Shopping

November 30, 2015 / CNBC

"Cyber Grinches scalp Santa with an automated arsenal of software programs that snap up new toy releases faster than any parent's frantic fingers can click 'buy.'"

VTech Breach Exposes 5 Million Kids and Their Parents to Risk

November 30, 2015 / eWeek

"Watch for telltale signs that a company isn't taking security seriously, such as not using Secure Sockets Layer/Transport Layer Security (SSL/TLS) while logging in or submitting sensitive information…"

VIDEO: 'No good way' to allow government encryption access

November 17, 2015 / CNBC / 2:33 Minutes

Shuman Ghosemajumder talks with Jon Fortt on the hot topic of encryption on CNBC’s Squawk Alley.

What Lurks in the Shadows: Advanced Cyber Attacks that Hide in SSL Traffic

November 17, 2015 / infoTECH

"…in an interesting twist, consultants at Shape Security discovered that at least one Icoscript strain receives C&C updates from Gmail draft messages."

Paying Ransoms to Hackers Stirs Debate (paywall)

November 9, 2015 / The Wall Street Journal

Shuman Ghosemajumder offers his perspectives on the practice of paying up when confronted with ransomware attacks.

What Is Polymorphic Malware and Why Should I Care?

October 16, 2015 / Security Intelligence

"Shape Security offered an illustration of how its Botwall service alters the underlying HTML code of a Web page so that it is constantly changing…"

Cybersecurity strategy needs to be more dynamic, experts say

October 15, 2015 / SearchSecurity

Shape’s Sumit Agarwal offers his perspectives on the role of integrated access management in recent breaches.

The Secret to an Ideal Work Culture

October 2, 2015 / Time Magazine

"By succinctly defining broad but actionable rules of the playground, Shape enables its employees to experiment freely without constantly checking in with supervisors."

Hackers Are Using Gmail Drafts to Update Their Malware and Steal Data

October 29, 2014 / Wired Magazine

"Researchers at the security startup Shape Security say they’ve found a strain of malware on a client’s network…"

2014 CNBC Disruptor 50

June 17, 2014 / CNBC

"Companies that require top-notch site security, such as e-commerce vendors and health-care providers, are just two of the industries the company is looking to convert."

Can Shape Security revolutionize Web defense?

January 21, 2014 / USA Today

"Shape Security. Remember that name."

What Is Polymorphic Code?

January 21, 2014 / Fast Company

"One of the most ingenious ways to make software more secure…"

Ex-Googlers' Startup Shape Turns Hackers' Code-Morphing Tricks Against Them

February 10, 2014 / Forbes

“You don’t have to be more clever than the hackers. You just have to be more clever than their other targets.”

Back to Top

Under Cyberattack?
Test drive shape rapid defense.

Get Threat Assessment