Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

NY AG: Credential Stuffing Impacts 1.1 Million Users at 17 Companies

New York Attorney General Letitia James this week announced the results of an investigation into credential stuffing, which resulted in the discovery of 1.1 million compromised accounts associated with 17 companies.

New York Attorney General Letitia James this week announced the results of an investigation into credential stuffing, which resulted in the discovery of 1.1 million compromised accounts associated with 17 companies.

Credential stuffing – a type of cyberattack where adversaries repeatedly attempt to access a user’s account using usernames and passwords stolen from other online services – has become one of the most prevalent attack vectors on the Internet, Attorney General James says.

With almost all applications and websites employing passwords as means of authentication, credential stuffing allows cybercriminals to compromise multiple accounts of the individual, if they employ the same credentials.

According to a “Business Guide for Credential Stuffing Attacks” that the New York Attorney General has just released, there are over 15 billion credentials currently circulating on the web. Adversaries are abusing these to launch hundreds of billions of credential stuffing attacks each year.

[ Related: 21 Million Stolen Fortune 500 Credentials For Sale on Dark Web ]

Following months of monitoring online communities dedicated to credentials stuffing, a list of 1.1 million impacted customer accounts at 17 well-known companies was compiled, including accounts at food delivery services, online retailers, and restaurant chains.

The Office of the Attorney General (OAG) has alerted the relevant companies so they would prompt password resets and notify their customers.

In addition to sharing details on the investigation, the newly released guide provides a series of recommendations on how companies can improve the security of their user accounts and prevent credential stuffing attacks.

Advertisement. Scroll to continue reading.

Safeguards include the use of multi-factor authentication, bot detection software (such as CAPTCHA systems), implementing passwordless authentication where possible, using firewalls, and preventing users from securing accounts with passwords that were compromised in previous attacks.

The guide also recommends that organizations implement systems to detect credential stuffing attacks, through monitoring user activity, monitoring reports of fraud, notifying users of suspicious account activity, and monitoring the Internet for signs of compromised user accounts.

“Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy,” said Attorney General James.

In June 2021, global law enforcement agencies took down stolen login credentials marketplace Slilpp, which had been selling credentials for more than 1,400 account providers.

Related: LastPass Automated Warnings Linked to ‘Credential Stuffing’ Attack

Related: Dark Hash Collisions: New Service Confidentially Finds Leaked Passwords

Related: Tips for a Smarter Approach to Password Policy

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.