An investigation by New York Attorney General Letitia James found that more than 1.1 million online accounts were compromised in cyberattacks at 17 well-known companies.
This was done through a practice that hackers use called credential stuffing. Credential stuffing involves attempts to log in to online accounts using usernames and passwords stolen from other, unrelated online services. It relies on the idea that many people use the same passwords across a variety of accounts. Credential stuffing has quickly become one of the top attack vectors among cybercriminals.
“Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy,” James said. “Businesses have the responsibility to take appropriate action to protect their customers’ online accounts, and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy.”
The Office of the Attorney General (OAG) alerted the 17 companies that were found to be victims of the attacks and urged them to take immediate steps to protect impacted customers. Every company did so.
The OAG also worked with the companies to determine how attackers had circumvented existing safeguards. Further, it provided recommendations for strengthening their data security programs to better secure customer accounts in the future. Nearly all of the companies implemented, or made plans to implement, additional safeguards.
James released a “Business Guide for Credential Stuffing Attacks” that details the attacks. It also includes several recommendations for companies to safeguard themselves against these attacks.
In short, three safeguards were found to be highly effective at defending against credential stuffing attacks when properly implemented: bot detection services; multi-factor authentication; and password-less authentication.
Also, an effective safeguard for preventing attackers from using customers’ stored payment information is re-authentication at the time of purchase by requiring customers to re-enter a credit card number or security code. The OAG found many cases in which attackers were able to exploit gaps in fraud protection by making a purchase using a payment method that did not require re-authentication.
The OAG says businesses should have a written incident response plan that includes processes for responding to credential stuffing attacks. The plan should include an investigation.