Content, Americas

NY OAG: Credential Stuffing Attacks Hit One Million User Accounts in 17 Businesses

Even with hackers' growing love for ransomware, credential stuffing is alive and well, according to a new report from New York’s Attorney General’s office (OAG). More than one million online accounts hijacked from 17 “well known” companies in the state have been compromised in credential stuffing attacks, the study found.

The investigation uncovered “thousands of posts” on several online communities containing login credentials that had been tested in credential stuffing attacks to access customer accounts at websites or on applications. Favored targets included online retailers, restaurant chains and food delivery services.

All companies involved in the attacks have been alerted and taken recommended steps to protect vulnerable customers, said New York Attorney General Letitia James. Several had not detected the credential stuffing attacks that had compromised their customers’ accounts. The report called credential stuffing “inevitable” and warned businesses that inadequate security monitoring is the likely opening that hackers have exploited. Most credential stuffing attacks can be identified by monitoring customer traffic for signs of attacks, such as spikes in traffic volume of failed login attempts.

It’s not clear if the affected companies or the OAG have contacted managed security service providers (MSSPs) to help address what appears to be a widespread need for monitoring improvements. If not, for sure they should.

That users frequently key in the same passwords across multiple online services paves the way for hackers to use credentials stolen from one company for other online accounts, said James. “Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stands in jeopardy,” she said. “We must do everything we can to protect consumers’ personal information and their privacy.”

Companies should pinpoint certain areas to strengthen their defenses against credential stuffing attacks, the report said, including safeguards to:

  • Detect a credential stuffing breach.
  • Prevent fraud and misuse of customer information.
  • Respond to a credential stuffing incident.

In particular, these safeguards were found to be "highly effective" at defending against credential stuffing attacks when properly implemented:

  • Bot detection services.
  • Multi-factor authentication.
  • Password-less authentication.

Among the OAG’s recommendations for companies to better arm themselves against credential stuffing include re-authentication at the time of purchase that requires customers to re-enter a credit card number or security code for every payment method that a business accepts. In addition, businesses should possess a written incident response plan that includes processes for responding to credential stuffing attacks. The processes should include:

  • Determining whether and which customer accounts were accessed.
  • Blocking attackers’ continued access to impacted accounts.
  • Alerting customers whose accounts were likely to have been impacted.

“The explosive growth of credential stuffing shows no signs of abating, fueled by the ever-growing numbers of stolen credentials that are available to attackers,” the report reads. “However, companies can significantly mitigate the risks of credential stuffing to their business and their customers by maintaining a comprehensive data security program with the right mix of cybersecurity measures.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.