Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

New York AG alerts companies on “credential stuffing” cyberattacks

State Issues New York Investigations State Attorney General Privacy/Cyber Risk & Data Security

State Issues

On January 5, the New York attorney general issued a report, which highlights the results of an investigation into “credential stuffing.” The investigation discovered over 1.1 million online accounts compromised in cyberattacks at 17 well-known companies. The report, Business Guide for Credential Stuffing Attacks, details attacks, which involve repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services, and provides recommendations on how business can protect themselves. Through credential stuffing, which is one of the most common forms of cyberattacks, offenders utilize automated software to reuse stolen usernames and passwords, relying on the human tendency to reuse the same credentials to access various online accounts and platforms. The AG’s office launched the investigation “in light of the growing threat of credential stuffing,” and monitored several online communities dedicated to credential stuffing. According to the report, the office discovered thousands of posts that had customer login credentials that were tested by hackers in a credential stuffing attack and found that the information could be used to access other accounts. From these posts, the office compiled credentials to compromised accounts at seventeen companies, which consisted of online retailers, restaurant chains, and food delivery services, and collected credentials for over 1.1 million customer accounts, all of which seemed to have been compromised. After alerting the companies regarding the compromised accounts and urging them to investigate and take protective action, every company did so. The report recommended that businesses maintaining online accounts have a data security program, including effective safeguards for protecting customers from credential stuffing attacks in four areas: (i) defending against credential stuffing attacks; (ii) detecting a credential stuffing breach; (iii) preventing fraud and misuse of customer information; and (iv) responding to a credential stuffing incident. Specifically, three safeguards considered to be “highly effective” at defending against credential stuffing attacks were bot detection services, multi-factor authentication, and password-less authentication. The report also recommended that companies require reauthentication at the time of a purchase. Additionally, “[b]usinesses should have a written incident response plan that includes processes for responding to credential stuffing attacks” and notification to affected parties.