Security Experts:

Connect with us

Hi, what are you looking for?



NY AG: Credential Stuffing Impacts 1.1 Million Users at 17 Companies

New York Attorney General Letitia James this week announced the results of an investigation into credential stuffing, which resulted in the discovery of 1.1 million compromised accounts associated with 17 companies.

New York Attorney General Letitia James this week announced the results of an investigation into credential stuffing, which resulted in the discovery of 1.1 million compromised accounts associated with 17 companies.

Credential stuffing – a type of cyberattack where adversaries repeatedly attempt to access a user’s account using usernames and passwords stolen from other online services – has become one of the most prevalent attack vectors on the Internet, Attorney General James says.

With almost all applications and websites employing passwords as means of authentication, credential stuffing allows cybercriminals to compromise multiple accounts of the individual, if they employ the same credentials.

According to a “Business Guide for Credential Stuffing Attacks” that the New York Attorney General has just released, there are over 15 billion credentials currently circulating on the web. Adversaries are abusing these to launch hundreds of billions of credential stuffing attacks each year.

[ Related: 21 Million Stolen Fortune 500 Credentials For Sale on Dark Web ]

Following months of monitoring online communities dedicated to credentials stuffing, a list of 1.1 million impacted customer accounts at 17 well-known companies was compiled, including accounts at food delivery services, online retailers, and restaurant chains.

The Office of the Attorney General (OAG) has alerted the relevant companies so they would prompt password resets and notify their customers.

In addition to sharing details on the investigation, the newly released guide provides a series of recommendations on how companies can improve the security of their user accounts and prevent credential stuffing attacks.

Safeguards include the use of multi-factor authentication, bot detection software (such as CAPTCHA systems), implementing passwordless authentication where possible, using firewalls, and preventing users from securing accounts with passwords that were compromised in previous attacks.

The guide also recommends that organizations implement systems to detect credential stuffing attacks, through monitoring user activity, monitoring reports of fraud, notifying users of suspicious account activity, and monitoring the Internet for signs of compromised user accounts.

“Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy,” said Attorney General James.

In June 2021, global law enforcement agencies took down stolen login credentials marketplace Slilpp, which had been selling credentials for more than 1,400 account providers.

Related: LastPass Automated Warnings Linked to ‘Credential Stuffing’ Attack

Related: Dark Hash Collisions: New Service Confidentially Finds Leaked Passwords

Related: Tips for a Smarter Approach to Password Policy

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.