Cisco says in just one week in February they detected 1,127,818 different IP addresses being used to launch 744,361,093 login attempts on 220,758,340 different email addresses — and that 93% of those attacks were directed at two financial institutions in a massive Account Takeover (ATO) campaign.
Crooks used 993,547 distinct IPs to check login credentials for 427,444,261 accounts. For most of these attacks, the crooks used proxy servers, but also two botnets, one of compromised Arris cable modems, and one of ZyXel routers/modems. Most of these credentials have been acquired from public breaches or underground hacking forums.
For more information, read the full article here.