New York State Attorney General Uncovers Large-Scale Credential Stuffing Attacks

Published 1/7/22, 1:00pm

On Wednesday, January 5th, the New York State Attorney General’s office announced the results of a months-long investigation into credential stuffing cyber attacks targeting 17 well-known companies. The investigation found that over 1.1 million consumers’ online accounts were compromised as a result of the attacks, which targeted a broad range of industries including retailers, restaurants, and food delivery services.

While none of the affected companies were named in the 15 page report released by the New York State Attorney General’s office, it was made clear in an accompanying statement that all 17 companies had been notified and were taking steps to inform impacted customers and safeguard their data. All of the companies’ internal investigations revealed the attacks had gone unnoticed prior to the AG office’s notification. 

“Businesses have the responsibility to take appropriate action to protect their customers’ online accounts,” New York State Attorney General Letitia James said in the statement. “We must do everything we can to protect consumers’ personal information and their privacy.”

Credential stuffing is a relatively simple, brute-force attack, requiring very little technical knowledge. Since the mainstream adoption of the internet, the proliferation of services and sites that require passwords has driven many consumers into bad habits and poor security hygiene. As a result, reused and improperly safeguarded credentials abound, and it’s that particular tendency of consumers that attackers target with credential stuffing attacks. 

When an attacker finds a valid username and password for a site, it’s likely that that particular combination–or one extremely close to it–will be usable on a different site. All that’s left is for the attacker to try those credentials on as many sites and services as possible until they find a match. Free, easy to find software automates the process, allowing an attacker to send thousands of simultaneous login attempts with different stolen credentials to a web service. While many will fail, it only takes a few successes for an attacker to turn a profit on their efforts, doing anything from using stored payment information for purchases to selling the login credentials to someone else.

While the New York State Attorney General’s report focuses on helping businesses combat credential stuffing attacks to protect consumers, it’s important to remember that those same consumers are also employees who are just as vulnerable to re-using personal credentials for business purposes. While the measures laid out in the AG office’s report–like bot detection and monitoring customer activity–are certainly useful for customer-facing protections, many also overlap with tools and methods businesses can use to protect their internal assets and employees. In addition, many are simply parts of a well-governed Identity and Access Management (IAM) plan.

A well constructed IAM program will naturally build barriers to credential stuffing attacks and mitigate the risks a successful stuffing attack could carry. For example, starting from the simple baseline of accurately confirming a user’s identity using strong passwords and multi-factor authentication, or even passwordless authentication methods, credential stuffing attacks become extremely difficult–if not near impossible–to pull off. Furthermore, stepping up to role-based access policies and user activity tracking and monitoring, if a credential stuffing attack were to be successful, the attacker would be extremely limited in the access they have to critical assets, and their activity would likely trip alarms for abnormal behavior.

As the Attorney General’s report cites, there are over 15 billion stolen credentials circulating on the internet, and no small number of those belong to enterprise and business users. This report and investigation throw into sharp relief the importance of establishing and maintaining an Identity and Access Management program for your organization.