New York Study Says Millions Affected by Credential Stuffing

Close up of New York State Attorney General Letitia James Standing next to a Microphone

New York State Attorney General Letitia James has revealed that over 1.1 million online accounts belonging to 17 “well-known” businesses were the victims of credential stuffing attacks. The Office of the Attorney General (OAG) has alerted the affected companies so that they can notify their customers.

What is Credential Stuffing?

Credential stuffing involves trying to access online accounts using the login credentials from other services. Oftentimes, consumers use the same usernames or passwords (or both) across multiple platforms.

Unfortunately, cybercriminals are taking advantage of this widespread practice. They rely on automated software that stuffs credentials obtained from the dark web. In 2020, hackers used credential stuffing to gain access to 350,000 Spotify accounts.

Credential stuffing is one of the most common types of cyberattacks. According to the OAG’s press release, in 2020 alone, one large content delivery operator claimed it witnessed over 193 billion attacks. James’ office carried out an extensive investigation into such attacks.

The OAG also released a guide that provides more information.

Over 15 Billion Stolen Credentials Circulating Across the Internet

In this case, the OAG carried out an investigation that lasted several months, where it monitored several credential stuffing online communities. Here, the OAG discovered thousands of posts containing customer usernames and passwords.

Furthermore, attackers had previously tested these credentials in credential stuffing attacks, confirming that they could still be exploited.

“Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stands in jeopardy,” said Attorney General James.

“Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy,” James added.

How to Protect Yourself from Credential Stuffing Attacks

All 17 companies told the OAG that they have taken measures to protect their customers. The OAG also worked with them to learn about possible chinks in their cybersecurity practices. The OAG’s press release added, “nearly all of the companies implemented, or made plans to implement additional safeguards.”

The OAG recommends introducing safeguards that are aimed at accomplishing the following tasks:

  1. Defending against potential attacks
  2. Detecting breaches
  3. Preventing misuse of stolen information, and
  4. Immediate response to incidents

It has suggested using bot detection, enabling multi-factor authentication, or using passwordless authentication. According to the OAG, these are some of the most effective safeguards against credential stuffing.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.