NY attorney general probes widespread credential stuffing, 17 companies affected

Dive Brief:

Seventeen companies had more than 1.1 million online accounts compromised via credential stuffing, according to an investigation from New York Attorney General Letitia James.
Following a months-long investigation into online communities used for credential stuffing, the Office of the Attorney General (OAG) found the 17 impacted "well-known" companies included online retailers, restaurant chains and food delivery services.
The OAG contacted the companies and asked for internal investigations, as well as remediation for impacted customers. "Every company did so," the OAG report said.

Dive Insight:

Credential stuffing works because it preys on reused passwords, a common practice for personal and professional online accounts.

"Attackers know that the username and password used at one website may also be used at a half-dozen others," the OAG report said. "Attackers typically use free, easily accessible software capable of transmitting hundreds of login attempts simultaneously without human intervention."

Nearly two years into mass remote work, business executives have found an increase in credential theft. Zero-trust models have the potential to upgrade identity access management and privileged access control, but companies are still facing increased spear phishing and impersonation attempts to target users who have access to sensitive information.

With data privacy concerns hovering over credential stuffing attacks, companies could also pay for regulatory fines, in addition to other remediation costs.

Credential theft is easy for threat actors and is unavoidable for most businesses, the OAG said.

The report outlines safeguards used for defending, detecting, preventing and responding to credential stuffing attempts, including:

Bot detection: Companies can use bot detection capabilities but, by enlisting a third-party service, companies can have insights into hundreds of websites and apps monitored. That addition could provide companies with bot patterns they wouldn't be able to decipher in the silo of an in-house solution.
Multifactor authentication: Six of the companies the OAG contacted use or plan to use MFA. The addition of secondary security guards — security keys, authenticator apps, or email/text messaging for one-time codes — provided another layer of protection against SIM swapping or social engineering.
Web application firewalls: While credential stuffing attempts can overcome WAF, rate limiting, HTTP request analysis, IP address blacklist are all elements that make for a stronger first line of defense in a WAF.
Monitoring customer reports of fraud: If a business has received an uptick in fraud complaints, it likely signals a successful credential stuffing attack. To keep track of this kind of activity, the OAG recommends implementing regular reviews of fraud cases to identify spikes in activity, and open communication between customer service and information security.

The OAG worked with the impacted companies to uncover how threat actors avoided security safeguards, which led to almost all of the companies adding additional security controls to their practices.