The New York Attorney General’s Office has found a series of credential stuffing attacks that went unnoticed for several months. According to Attorney General Letitia James, there are more than 15 billion stolen credentials floating around the internet, making credential stuffing one of the most popular forms of cyber-attacks. Further it has notified that most of the well-known online retailers, food delivery services and restaurant chains were the victims of these credential stuffing attacks.
Cyber-attacks compromised more than 1.1 million internet accounts, according to the inquiry. Attorney General James produced a “Business Guide for Credential Stuffing Assaults” that explains how businesses may protect themselves from the attacks, which entail repetitive, automated efforts to enter internet accounts using usernames and passwords obtained from other online services.
“What did the OAG discover?”
Several online communities dedicated to credential stuffing were monitored by the OAG for several months. Thousands of posts were discovered by the OAG that contained customer login credentials that had been tested in a credential stuffing attack and validated could be used to access user accounts on websites or apps. From these posts, the OAG gathered credentials for 17 well-known online shops, restaurant businesses, and food delivery services. The OAG gathered credentials for almost 1.1 million customer accounts in total, all of which looked to have been hacked as a result of credential stuffing attacks.
Following the discovery of the assaults, the OAG notified the affected organizations, allowing them to reset passwords and notify customers. The OAG also worked with the organizations to figure out how attackers got around current measures and made recommendations for improving their data security programmes in the future to protect customer accounts. Almost all companies implemented or planned to install new protections throughout the OAG’s inquiry.
What is credential stuffing?
- Credential stuffing is a sort of cyber-attack in which attackers try to log into internet accounts with stolen credentials.
- These credentials are either stolen from unrelated internet businesses or disclosed through data breaches.
- Poor password procedures are one of the main causes for the success of such assaults. Passwords that are reused across many accounts are utilized by attackers.
The effect
- Credential stuffing attacks are old news, but they still work, according to Chris Olson, CEO of The Media Trust. “While users are responsible for their data, businesses must protect it when it is entered or gathered inadvertently through their websites/mobile apps.” Taking responsibility for how digital assets can affect customers is crucial to maintaining consumer privacy and security expectations. Those who have implemented digital trust and safety measures are already seeing significant results in their bottom line.”
- Once an attacker has gained access to an account, they can read personal information such as a user’s name, address, and previous purchases.
- If a credit card or gift card is saved in the account, the attackers may be able to conduct fraudulent purchases.
- Alternatively, the attackers can profit financially by selling the credentials on dark web forums.
Recommendations of the OAG
Because of the increasing incidence of credential stuffing assaults in enterprises, the OAG has recommended businesses to implement a strong data security programme. It also recommended putting in place mechanisms to defend, detect, avoid, and respond to such attacks. The implementation of multi-factor authentication for various accounts is one of the recommended measures. Credential stuffing attacks can be thwarted via traffic monitoring tools that detect surges in failed login attempts. The study has other recommendations.
