Identity and access, Cybercrime

NY investigation finds more than 1 million accounts compromised through credential stuffing

The New York State Attorney General announced an investigation had found 1.1 million consumer accounts tied to 17 different companies that were compromised in credential stuffing attacks. (Photo by Leon Neal/Getty Images)

The New York State Attorney General said an investigation by her office uncovered at least 1.1 million online consumer accounts that were compromised through credential stuffing attacks across the products of at least 17 different companies.

According to the state, investigators at the Office of the Attorney General spent several months monitoring online forums on the dark web dedicated to sharing login credentials for compromised accounts, many of which were tested and confirmed as active on other websites and applications.

“After reviewing thousands of posts, the OAG compiled login credentials for customer accounts at 17 well-known companies, which included online retailers, restaurant chains, and food delivery services,” the AG office wrote in a corresponding document. “In all, the OAG collected credentials for more than 1.1 million customer accounts, all of which appeared to have been compromised in credential stuffing attacks.”

As commerce has digitized and consumers have shifted to doing more of their shopping and other business online, the sheer number of different accounts the average individual holds has shot up significantly. The need to login to so many different portals and websites has led many users to fall back on practices -- like password re-use -- that can then be leveraged by malicious hackers, who take a password from one compromised account and try them for other accounts that user has in the hopes of finding a match.

Using automation, this type of attack can be done at a frightening scale. Cybersecurity researchers see billions of such attacks used against businesses and consumers every year, with one company estimating last year that 5% of all the traffic on their network could be traced back to credential stuffing.

A release from the AG Office said investigators contacted the affected companies – none of whom are named -- following the discovery to allow for password resets and notification of customers.

The AG office developed and released a guide based on results of the investigation to help businesses protect themselves from similar attacks in the future. Among other recommendations, the document offers up potential mitigations like multi-factor authentication protocols for customer accounts, implementing bot detection systems (beyond just CAPTCHA), passwordless authentication, web application firewalls (though this may not be as effective for more sophisticated credential stuffing attacks) and putting internal policies in place to prevent password re-use.

While not included in the guidance, cybersecurity experts also say password managers that can automatically generate unique passwords for each account that change after timed intervals is also effective against credential stuffing, though this can also create a single point of failure if your password manager is compromised.  

“Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy,” said Attorney General James in a statement. “Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy.”

It also strongly encourages companies to notify their customers as quickly as possible to allow them to change their passwords and look for other compromised accounts they may have.

“The notice should clearly and accurately convey material information concerning the attack that is reasonably individualized to the customer,” the guide reads. “This would require, at a minimum, disclosing whether the particular customer’s account was accessed without authorization, and, more generally, the timing of the attack, what customer information was accessed, and what actions have been taken to protect the customer.”

prestitial ad