The New York State Office of the Attorney General (NY OAG) has alerted 17 well-known organizations that credential stuffing attacks have exposed the user accounts of nearly 1.1 million of their customers. In these kinds of cyberattacks, threat actors attempt to enter user accounts using credentials (typically user/password combinations) acquired from other online services in an automated and repetitive (millions at a time) manner.
This strategy is especially effective against accounts repeating their credentials across different services. The attackers’ ultimate objective is to get access to as many accounts as possible in order to steal the personal and financial information linked with those accounts, which may then be sold on hacking forums or the dark web. Threat actors can also use the information to commit identity theft or make unauthorized transactions.
The New York State Office of the Attorney General identified these hacked online accounts after a months-long wide-ranging investigation into various online forums dedicated to exchanging verified credentials collected in previously unreported credential stuffing attacks.
“After reviewing thousands of posts, the OAG compiled login credentials for customer accounts at 17 well-known companies, which included online retailers, restaurant chains, and food delivery services,” as stated by NY OAG. The OAG gathered credentials for almost 1.1 million customer accounts in total, all of which looked to have been hacked due to credential stuffing attacks.
“Following discovery of the attacks, the Office of the Attorney General (OAG) alerted the relevant companies so that passwords could be reset and consumers could be notified.”
And by an Akamai report released in May 2021, there were over 193 billion credential stuffing attacks worldwide in 2020, up 45 percent from the prior year. Last year, Digital Shadows revealed that over 15 billion credentials are presently being traded or sold online, with most of them belonging to customers. Credential stuffing attacks have recently increased due to this enormous store of circulating hacked credentials.
“Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy,” stated New York Attorney General Letitia James.
The New York State Office of the Attorney General has released a report that further details its credential stuffing investigation and how businesses may safeguard their consumers and respond to similar situations. Companies should use bot detection services, multi-factor authentication, and password-less authentication, for example, and monitor client traffic for evidence of cyberattacks (e.g., spikes in traffic volume or failed login attempts).