A months-long investigation into credential stuffing attacks by the New York attorney general’s office found credentials for more than 1.1 million online accounts at 17 major retailers, restaurant chains and food delivery services in internet forums, the agency announced Wednesday.
Each of the unnamed companies was notified and took steps to protect impacted customers, the AG’s office said in a statement accompanying a 15-page report on the investigation. All of the companies’ investigations into the matter revealed that most of the attacks had not previously been detected, and each company either implemented or made plans to implement additional safeguards, the agency said.
None of the affected organizations were named in the report.
“Businesses have the responsibility to take appropriate action to protect their customers’ online accounts,” New York Attorney General Letitia James said in the statement.
Credential stuffing refers to instances when an attacker relies on username and password combinations stolen from one website to attempt logins to various other websites.
This kind of targeting leverages the bad habit of using one username and password combination across multiple sites. Easily accessible software enables attackers to automate login attempts on a massive scale, so even relatively rare success rates sometimes translates into thousands of breached accounts.
If successful, hackers can make fraudulent purchases using stored credit card information, steal gift cards, target the customers directly in phishing attacks or sell the customer login and personal data to someone else.
In 2020 there were 193 billion credential stuffing attacks globally, according to research from Akamai, a major content delivery network. The attorney general’s report cited data from 2017 putting the annual cost to companies at $6 million in the form of application downtime, lost customers and increased IT costs.
The attacks are so common that they are practically unavoidable, according to the report, so companies should proactively develop detection, defense and mitigation strategies. Practices such as deploying bot detection software to detect non-human behavior, and requiring multi-factor authentication for logins, can help.