NY AG's credential stuffing probe finds 1M exposed accounts

The threat of credential stuffing attacks prompted an investigation by the New York Attorney General, which found stolen passwords for customer accounts across 17 companies.

An investigation by the New York State Office of the Attorney General revealed the damage of a series of credential stuffing attacks on enterprises, many of which went undetected.

After several months of monitoring multiple hacker forums dedicated to "one of the top attack vectors online" the OAG discovered login credentials for customer accounts at 17 "well-known companies." While the companies were not named, sectors included online retailers, restaurant chains and food delivery services. In a press release Wednesday, the Office of the Attorney General (OAG) said more than 1.1 million customer accounts appeared to have been compromised in these credential stuffing attacks.

Credential stuffing is especially dangerous because it takes advantage of poor password practices, especially reused passwords across different accounts. Another danger highlighted by the New York OAG is that while most login attempts will fail, "a single attack can yield thousands of compromised accounts due to the sheer volume of attempts."

"Credential stuffing attacks have become so prevalent that they are, for most businesses, unavoidable," the press release said.

Screenshot of a post from dark web marketplace RaidForums
A report from the New York State Office of the Attorney General included a screenshot of an apparent post from dark web marketplace RaidForums, where a user was selling valid customer credentials.

Investigation highlights

The OAG investigation spent several months analyzing hacker forums, including the dark web marketplace RaidForums, and found thousands of posts offering valid account credentials for various companies. Once the significant number of compromised accounts was discovered, each of the 17 companies was alerted, urged to investigate and "take immediate steps to protect impacted customers." Every company did so, according to the OAG.

However, individual investigations revealed a somber fact.

"The companies' investigation revealed that most of the attacks had not been previously detected," the press release stated.

In addition to alerts, the OAG also worked with the companies to determine how attackers were successful despite existing safeguards, and provided steps to protect against the "growing threat." Nearly all of the companies introduced or presented plans to introduce additional safeguards, according to the OAG.

The OAG report said requiring reauthentication at the time of purchase is "critically important" for protecting customers' accounts. One example the OAG provided was requiring customers to re-enter a credit card number or security code.

"The OAG encountered many cases in which attackers were able to exploit gaps in fraud protection by making a purchase using a payment method that did not require reauthentication," the press release said.

The New York OAG also noted ways enterprises can protect themselves from this costly threat, such as using bot detection, multifactor authentication and password-less authentication. More in-depth measures were advised in the "Business Guide for Credential Stuffing Attacks," a report issued by New York Attorney General Letitia James.

This is not the first government-issued alert regarding the risks of credential stuffing attacks. In 2020, the FBI sent a private industry notification that warned of attacks against the U.S. financial sector. According to the notification, "since 2017 the FBI had received reports on credential stuffing attacks against U.S. financial institutions, collectively detailing nearly 50,000 compromised accounts." Now, it appears that number is growing.

Some retail and restaurant companies such as Dunkin' have suffered multiple credential stuffing attacks in recent years. In 2019, Dunkin' customers were sent two alerts in less than three months.

More recent examples include an attack against energy supplier NPower in February that forced the shutdown of its mobile app and compromised accounts and personal data. Last month, password manager LastPass was targeted in an apparent credential stuffing attacks, though the company said no accounts were compromised. In a statement to SearchSecurity, LastPass said an investigation found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error.

Dig Deeper on Data security and privacy

Enterprise Desktop
Cloud Computing