Daily Digit is the story behind the numbers that make our world work. Today we’re looking at the seedy underbelly of online shopping. Recent reporting reveals that nearly all — 91 percent — of login attempts made at online retailers are fraudulent. The practice is called credential stuffing, and it goes something like this: A company or website will suffer a data breach that reveals users’ email addresses and passwords; criminals will purchase that information on the dark web; and then hackers will plug those credentials into various online retailers’ sites to see whether any data there matches the leaked data. Luckily, it only works about 3 percent of the time. However, the average time for a data breach to be made public is about 15 months, so by the time you find out your password has been stolen, it’s probably already too late.