Attorney General James alerts 17 companies to ‘credentials’ cyberattacks affecting over 1.1 million consumers

NEW YORK – New York Attorney General Letitia James today announced the results of a massive ‘credentials trick’ investigation that uncovered more than 1.1 million compromised online accounts in cyber attacks on 17 well-known companies. Attorney General James has published a “Business Guide for Credential Stuffing Attacks” which details the attacks – which involve repeated, automated attempts to access online accounts using stolen usernames and passwords on other online services – and how businesses can protect themselves. Credentials stuffing has quickly become one of the main attack vectors online. Virtually all websites and apps use passwords to authenticate their users. Unfortunately, people tend to reuse the same passwords across multiple online services. This allows cybercriminals to use passwords stolen from a company for other online accounts. After the attacks were discovered, the Attorney General’s Office (OAG) alerted affected businesses so that passwords could be reset and consumers could be notified. Today’s guide shares lessons learned during the OAG’s investigation, including concrete advice on steps businesses can take to better protect themselves against credential jamming attacks.

“At present, more than 15 billion stolen credentials circulate on the Internet because the personal information of users is at risk,” said Attorney General James. “Businesses have a responsibility to take the appropriate steps to protect their customers’ online accounts, and this guide outlines the essential safeguards businesses can use in the fight against credential stuffing. We must do all we can to protect consumers’ personal information and their privacy.

What is credential stuffing?

Credential stuffing is a type of cyber attack that involves attempts to log into online accounts using a username and passwords stolen from other unrelated online services . It is based on the widespread practice of reusing passwords because there is a good chance that a password used on one website will also be used on another.

In a typical credential jamming attack, an attacker can submit hundreds of thousands, if not millions, of login attempts using automated credential and list stuffing software. stolen credentials downloaded from the dark web or hacking forums. Although only a small percentage of these attempts succeed, due to the sheer volume of login attempts, a single attack can still generate thousands of compromised accounts.

An attacker who accesses an account can use it in several ways. The attacker can, for example, view personal information associated with the account, including name, address and past purchases, and use that information in a phishing attack. If the account contains a credit card or gift card, the attacker may be able to make fraudulent purchases. Or the attacker could simply sell the login credentials to another person on the dark web.

One of the most common forms of cyberattack is credential stuffing. The operator of a large content delivery network said it witnessed more than 193 billion such attacks in 2020 alone.

The OAG investigation

In light of the growing threat of credential jamming, the OAG has launched an investigation to identify the businesses and consumers affected by this attack vector. Over a period of several months, the BVG monitored several online communities dedicated to creaming stuffing. The OAG found thousands of posts containing customer login credentials that attackers tested in a credential jamming attack and confirmed that they could be used to access customer accounts on websites or on websites. applications. From these publications, the OAG compiled the credentials of compromised accounts of 17 well-known online retailers, restaurant chains and food delivery services. In total, the OAG collected credentials from more than 1.1 million customer accounts, all of which appeared to have been compromised during credential stuffing attacks.

The OAG alerted each of the 17 companies to the compromised accounts and urged the companies to investigate and take immediate action to protect affected customers. Every business has done it. Company surveys revealed that most attacks had gone undetected before.

The OAG also worked with companies to determine how attackers circumvented existing protections and provided recommendations to strengthen their data security programs to better secure customer accounts in the future. During the OAG’s investigation, almost all of the companies implemented or planned to implement additional safeguards.

OAG recommendations

Credential stuffing attacks have become so prevalent that they are inevitable for most businesses. Every business that manages customer accounts online should therefore have a data security program that includes effective safeguards to protect customers from credential jamming attacks. Safeguards must be implemented in each of the four areas:

  1. Defend against attacks by “credential stuffing”,
  2. Detection of an identifier jam breach,
  3. Prevent fraud and misuse of customer information, and
  4. Respond to a credential jam problem.

Attorney General James’ guide presents specific safeguards that have been shown to be effective in each of these areas. Here are some highlights from the guide:

  • Three safeguards have proven to be very effective in defending against credential stuffing attacks when properly implemented: 1) Bot Detection Services, 2) Multi-Factor Authentication, and 3) authentication without password.
  • Since no protection is 100% effective, it’s critical that businesses have an effective way to detect attacks that have bypassed other defenses and compromised accounts receivable. Most credential jamming attacks can be identified by monitoring customer traffic for signs of attacks (for example, spikes in traffic volume during unsuccessful login attempts).
  • One of the most effective protections to prevent attackers from using payment information stored by customers is reauthentication at the time of purchase by requiring, for example, that customers re-enter a credit card number or credit card number. security code. It is extremely important that re-authentication is required for each payment method accepted by a business. The OAG has encountered many instances where attackers were able to exploit loopholes in fraud protection by making a purchase using a payment method that did not require re-authentication.
  • Organizations should have a written incident response plan that includes processes for responding to credential stuffing attacks. Processes should include investigation (for example, determining if and which customer accounts have been accessed), remediation (for example, blocking continued access by attackers to affected accounts), and notification (for example, alerting customers whose account was reasonably likely to have been affected).

This case was handled by Senior Enforcement Counsel Jordan Adler, Deputy Attorney General Hanna Baek, Internet and Technology Analyst Joe Graham, and Legal Assistant Richard Borgia – all from the Bureau of Internet and Technology, under overseeing Deputy Head of Office Clark Russell and Chief Office Kim Berger. The Bureau of Internet and Technology is part of the Economic Justice Division, which is overseen by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Jennifer Levy.