Attorney General James Alerts 17 Companies to “Credential Stuffing” Cyberattacks Impacting More Than 1.1 Million Consumers – New York State Attorney General

Our Office
Bio of the Attorney General
Year in Review
Divisions and Bureaus
Regional Offices
Press Releases
Event Archive
Charities Registry
Complaint Forms
Consumer Resources
Data Security Breach Information
Effective REF Policy Memoranda
Employment Opportunities
Find an Attorney
Help for Homeowners
Identity Theft
Lemon Law Protections
Make a FOIL Request
Offering Plan Data Search
Presentation Request Form
Student Lending
Tenants’ Rights
Triple C Awards
Victims’ Rights
Animal Protection Initiative
Conviction Review Bureau
Debt Settlement & Collection
Free Educational Programs
Human Trafficking Initiative
Immigration Services Fraud Initiative
Land Bank Community Revitalization
NY Open Government
Pennies for Charity
Protect Our Homes
Smart Seniors
Office of Special Investigation
Source of Income Discrimination
Taxpayer Protection Initiative
Contact Us
You are here
NEW YORK – New York Attorney General Letitia James today announced the results of a sweeping investigation into “credential stuffing” that discovered more than 1.1 million online accounts compromised in cyberattacks at 17 well-known companies. Attorney General James released a “Business Guide for Credential Stuffing Attacks” that details the attacks — which involve repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services — and how business can protect themselves. Credential stuffing has quickly become one of the top attack vectors online. Virtually every website and app use passwords as a means of authenticating its users. Unfortunately, users tend to reuse the same passwords across multiple online services. This allows cybercriminals to use passwords stolen from one company for other online accounts. Following discovery of the attacks, the Office of the Attorney General (OAG) alerted the relevant companies so that passwords could be reset and consumers could be notified. Today’s guide shares lessons learned over the course of the OAG’s investigation, including concrete guidance on steps businesses can take to better protect against credential stuffing attacks. 
“Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy,” said Attorney General James. “Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy.”
What is Credential Stuffing?
Credential stuffing is a type of cyberattack that involves attempts to log in to online accounts using username and passwords stolen from other, unrelated online services. It relies on the widespread practice of reusing passwords as, chances are, a password used on one website was also used on another. 
In a typical credential stuffing attack, an attacker may submit hundreds of thousands, or even millions, of login attempts using automated, credential-stuffing software and lists of stolen credentials downloaded from the dark web or hacking forums. Although only a small percentage of these attempts will succeed, through the sheer volume of login attempts, a single attack can nevertheless yield thousands of compromised accounts.   
An attacker that gains access to an account can use it in any number of ways. The attacker can, for example, view personal information associated with the account, including a name, an address, and past purchases, and use this information in a phishing attack. If the account has a stored credit card or gift card, the attacker may be able to make fraudulent purchases. Or the attacker could simply sell the login credentials to another individual on the dark web.
Credential stuffing is one of the most common forms of cyberattack. The operator of one large content delivery network reported that it witnessed more than193 billion such attacks in 2020 alone.
The OAG’s Investigation
In light of the growing threat of credential stuffing, the OAG launched an investigation to identify businesses and consumers impacted by this attack vector. Over a period of several months, the OAG monitored several online communities dedicated to credential stuffing. The OAG found thousands of posts that contained customer login credentials that attackers had tested in a credential stuffing attack and confirmed could be used to access customer accounts at websites or on apps. From these posts, the OAG compiled credentials to compromised accounts at 17 well-known online retailers, restaurant chains, and food delivery services. In all, the OAG collected credentials for more than 1.1 million customer accounts, all of which appeared to have been compromised in credential stuffing attacks. 
The OAG alerted each of the 17 companies to the compromised accounts and urged the companies to investigate and take immediate steps to protect impacted customers. Every company did so. The companies’ investigations revealed that most of the attacks had not previously been detected.
The OAG also worked with the companies to determine how attackers had circumvented existing safeguards and provided recommendations for strengthening their data security programs to better secure customer accounts in the future. Over the course of the OAG’s investigation, nearly all of the companies implemented, or made plans to implement, additional safeguards.
The OAG’s Recommendations
Credential stuffing attacks have become so prevalent that they are, for most businesses, unavoidable. Every business that maintains online customer accounts should therefore have a data security program that includes effective safeguards for protecting customers from credential stuffing attacks. Safeguards should be implemented in each of four areas:
Attorney General James’ guide presents specific safeguards that have been found to be effective in each of these areas. Some highlights from the guide include the following:
This matter was handled by Senior Enforcement Counsel Jordan Adler, Assistant Attorney General Hanna Baek, Internet and Technology Analyst Joe Graham, and Legal Assistant Richard Borgia — all of the Bureau of Internet and Technology, under the supervision of Deputy Bureau Chief Clark Russell and Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is overseen by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Jennifer Levy.

Translation Disclaimer
Select a Language Below / Seleccione el Idioma Abajo
This Google™ translation feature is provided for informational purposes only.
The Office of Attorney General’s website is provided in English. However, the “Google Translate” option may assist you in reading it in other languages.
Google Translate cannot translate all types of documents, and it may not give you an exact translation all the time. Anyone relying on information obtained from Google Translate does so at his or her own risk.
The Office of Attorney General does not make any promises, assurances, or guarantees as to the accuracy of the translations provided. The State of New York, its officers, employees, and/or agents shall not be liable for damages or losses of any kind arising out of, or in connection with, the use or performance of such information, including but not limited to, damages or losses caused by reliance upon the accuracy of any such information, or damages incurred from the viewing, distributing, or copying of such materials.
A copy of this disclaimer can also be found on our Disclaimer page.
Close this box or use the [ X ]


Leave a comment

Your email address will not be published.