Developing programming and coding technologies. Website design. Cyber space concept.

1.1 million compromised accounts found at 17 major companies

A New York State Attorney General (AG) investigation revealed that over 1.1 million accounts have been compromised after credential stuffing attacks against 17 companies.

What is credential stuffing?

Credential stuffing is when cybercriminals deploy automated scripts to gain account access using high volumes of username and password combinations. Where cybercriminals can successfully gain access to accounts, they can take them over and, depending on the nature of the account they’ve gained access to, potentially take several actions, including:

  • Using the account credentials and access as a gateway to further accessing a victim’s device or network
  • Stealing sensitive information or financial details
  • Setting up phishing attacks from email accounts by impersonating the victim or their contacts

Credential stuffing attacks are often successful because of how frequently common and easy to guess passwords are being used worldwide. They have the potential to make a significant dent in a business’s finances, too. In the United States, businesses reportedly lose an average of $6 million a year due to credential stuffing. These losses come from various places, including application downtime, lost customers and sales, and an increase in IT security and monitoring costs. Should businesses be hacked and lose consumer data, they are also at risk of being fined by data protection authorities and liable for compensation to affected consumers.

Credential stuffing attacks on the rise

James McQuiggan, a security awareness advocate at KnowBe4, told Threatpost in an email: “With over 8.4 billion passwords in the wild and over 3.5 billion of those passwords tied to actual email addresses, it provides a starting point and easy attack vector for cybercriminals to target various online sites that utilize accounts for their customers.

“These types of attacks give access to personal information about the user, their tax information and of course, their Social Security numbers for them and possibly their immediate family. Additionally, cybercriminals recognize that many organizations or users will not implement additional security measures and use the same password across various website accounts.”

Aiming to understand the extent to which credential stuffing was a problem, the Office of the AG (OAG) undertook a lengthy investigation, primarily focusing on analysing activity across cybercrime forums that discuss credential stuffing.

In a media statement released in early January, the Office of the AG said: “The OAG found thousands of posts that contained customer login credentials that attackers had tested in a credential stuffing attack and confirmed could be used to access customer accounts at websites or on apps.”

It described the 17 brands affected by these most recent attacks as “well-known online retailers, restaurant chains and food delivery services.”

Companies largely unaware they had been targeted

The OAG also said it had alerted the companies concerned, although it didn’t publicly name them. At the time of writing, there had been no reports of significant numbers of customers at specific companies being notified of data breaches, so it isn’t clear what action has been taken nor who the affected organisations are.

However, it has been reported that many of the affected companies’ internal investigations found that successful credential stuffing attacks hadn’t been detected. As such, nearly all those affected have been forced to take steps to implement additional security safeguards. It is thought safeguards put into place by some of the affected companies include bot detection, two-factor (2FA) and multi-factor authentication (MFA), and password-free authentication.

New York AG Letitia James told Threatpost: “Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy.

“Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy.”

All parties warned to look out for new attacks

While these recent credential stuffing attacks were made on businesses, security researchers have called on consumers and organisations to be wary of subsequent attacks, potentially facilitated by stolen data.

Ron Bradley, vice president at Shared Assessments, told Threatpost via email: “Like many people today, I have a neighborhood-watch application which alerts me to things happening in my community.

“Oftentimes people will post videos of threat actors checking the locks on cars and home doors…this perimeter ‘doorknob’ testing is similar to the recent announcement by the New York OAG. The fact is, there are billions of compromised credentials easily available on the internet. Threat actors will constantly use these resources in an attempt to breach digital assets.”

How to protect against credential stuffing and protect yourself online

Bradley shared additional advice with Threatpost, saying: “In this case, the importance of identity and access management (IAM) cannot be overstated. Organizations absolutely must enforce multiple layers of protection, especially when it comes to accessing sensitive data. The equation to combat this issue is straight forward.”

Bradley said the ideal approach included:

  • Using strong passwords, but ideally passphrases
  • Privileged access being accompanied by 2FA or MFA
  • Throttling internet-facing apps to prevent “brute-force” login attempts
  • Deployment and validation of detection and response mechanisms

He added: “These are just a few of the fundamental controls needed to protect your data.

“It’s important to remember your digital asset boundary is like squeezing a balloon. You can tighten one side, but the other side expands. The challenge is finding that middle ground. When third parties are involved, the task becomes increasingly difficult as you must ensure they are following no less than the controls you’ve specified.”

While Bradley’s tips were predominantly aimed at businesses, the use of strong passwords and 2FA or MFA are highly relevant to consumers. Consumers should also ensure they never use the same password twice and consider using a password manager app to help them set and store strong passwords.

In closing, McQuiggan also said people should stop using old passwords that were involved in data breaches. When cybercriminals find credentials, one of the first things they’ll do is attempt to use the same user and password combinations on other websites.

McQuiggan told Threatpost: “The easiest way to see if one’s accounts have been involved in a breach is to check the HaveIBeenPwned.com website, which tracks email addresses and phone numbers that have been in data breaches over the past fifteen years.”


Get in Touch

Fill in the form below to tell us your details, and we’ll get started.