NY AG: Credential Stuffing Impacts 1.1 Million Users at 17 Companies
New York Attorney General Letitia James this week announced the results of an investigation into credential stuffing, which resulted in the discovery of 1.1 million compromised accounts associated with 17 companies.
Credential stuffing – a type of cyberattack where adversaries repeatedly attempt to access a user’s account using usernames and passwords stolen from other online services – has become one of the most prevalent attack vectors on the Internet, Attorney General James says.
With almost all applications and websites employing passwords as means of authentication, credential stuffing allows cybercriminals to compromise multiple accounts of the individual, if they employ the same credentials.
According to a “Business Guide for Credential Stuffing Attacks” that the New York Attorney General has just released, there are over 15 billion credentials currently circulating on the web. Adversaries are abusing these to launch hundreds of billions of credential stuffing attacks each year.
Following months of monitoring online communities dedicated to credentials stuffing, a list of 1.1 million impacted customer accounts at 17 well-known companies was compiled, including accounts at food delivery services, online retailers, and restaurant chains.
The Office of the Attorney General (OAG) has alerted the relevant companies so they would prompt password resets and notify their customers.
In addition to sharing details on the investigation, the newly released guide provides a series of recommendations on how companies can improve the security of their user accounts and prevent credential stuffing attacks.
Safeguards include the use of multi-factor authentication, bot detection software (such as CAPTCHA systems), implementing passwordless authentication where possible, using firewalls, and preventing users from securing accounts with passwords that were compromised in previous attacks.
The guide also recommends that organizations implement systems to detect credential stuffing attacks, through monitoring user activity, monitoring reports of fraud, notifying users of suspicious account activity, and monitoring the Internet for signs of compromised user accounts.
“Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy,” said Attorney General James.
In June 2021, global law enforcement agencies took down stolen login credentials marketplace Slilpp, which had been selling credentials for more than 1,400 account providers.