The New York State Office of Attorney General (OAG) has flagged a series of credential stuffing attacks that went undetected for several months. Attorney General Letitia James highlighted that there are more than 15 billion stolen credentials being circulated across the internet which makes credential stuffing one of the top attack vectors online.
What is credential stuffing?
Credential stuffing is a type of cyberattack that involves attackers making attempts to log in to online accounts using stolen credentials.
These credentials are either leaked in data breaches or stolen from unrelated online services.
One of the major reasons for the success of such attacks is poor password practices. Attackers rely on passwords that are reused across different accounts.
Once attackers gain access to an account, they can view personal information associated with the account, including name, address, and past purchases.
If the account has stored a credit card or gift card, the attackers may be able to make fraudulent purchases.
Or, the attackers can simply gain monetary benefit by selling the credentials on dark web forums.
What did the OAG find?
In a press release, the OAG revealed that around 17 well-known online retailers, restaurant chains, and food delivery services were targeted in credential stuffing attacks over the past several months.
The office was able to confirm the attacks after it investigated thousands of posts that contained credentials of more than 1.1 million customer accounts.
The affected companies were asked to investigate and take immediate action to protect their customers’ data.
The OAG’s recommendations
Given the widespread prevalence of credential stuffing attacks across businesses, the OAG has urged organizations to have an effective data security program in place. Furthermore, it has advised implementing safeguards to defend, detect, prevent and respond to such incidents. One of the recommended measures includes the use of multi-factor authentication for different accounts. Traffic monitoring solutions that pick up spikes in failed login attempts can also be effective in thwarting credential stuffing attacks. More recommendations are available in the report.