NY AG Releases ‘Credential Stuffing’ Cyberattack Report, Reveals Theft of 1.1M Consumer Accounts

After an extensive investigation, New York Attorney General Letitia James has warned 17 “well-known” companies of more than 1.1 million compromised online accounts and how they can better protect themselves from a practice known as credential stuffing.

Wednesday’s press release explains that such hacks involve repeated, automated attempts to access online accounts using stolen usernames and passwords. Credential stuffing is particularly problematic because users tend to reuse passwords across online services, allowing cybercriminals to use a stolen password for multiple accounts.

The attorney general’s office conducted a months-long investigation in response to the growing practice, the result of which is this week’s report identifying businesses and consumers impacted by credential stuffing. The law enforcement office says it found thousands of posts containing already-tested customer login information for websites and apps. Thereafter, the attorney general notified the companies and instructed them to direct impacted customers to reset their passwords.

The report also made several recommendations for tamping down credential-stuffing attacks including that companies employ bot detection services, multi-factor authentication, and password-less authentication. It cautioned that because no measure is entirely effective, businesses must be able to detect attacks, by for example, monitoring customer traffic for spikes in volume or failed login attempts. Another simple measure, the report specified, is requiring customers to re-enter credit card numbers or security codes at the time of purchase.

“Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand[s] in jeopardy,” Attorney General James said in a statement. “Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy.”