Breaking News
More () »

1.1 million New Yorkers impacted by 'credential stuffing'

Credential stuffing is 'a type of cyberattack that involves attempts to log in to online accounts using username and passwords stolen from other sites.'
Photo: Thinkstock

NEW YORK — New York State Attorney General Letitia James says her office has alerted 17 companies of 'credential stuffing' cyber attacks that have impacted more than 1.1 million consumers.

The AG's office says credential stuffing is "a type of cyberattack that involves attempts to log in to online accounts using username and passwords stolen from other, unrelated online services." The attackers rely on the fact that some consumers use the same password across multiple sites.  

An attacker may be able to access the consumer's personal information, as well as credit card information to be used to make fraudulent charges.

"Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy," said Attorney General James. "Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy."

James says her office notified the 17 companies that make up online retailers, restaurants and food delivery services. The office says they collected credentials on more than 1.1 million customer accounts through their investigation. 

The Office of the Attorney General provides these safeguards to companies to better protect your information:

  • Because no safeguard is 100 percent effective, it is critical that businesses have an effective way of detecting attacks that have bypassed other defenses and compromised customer accounts. Most credential stuffing attacks can be identified by monitoring customer traffic for signs of attacks (for example, spikes in traffic volume of failed login attempts). 
  • One of the most effective safeguards for preventing attackers from using customers’ stored payment information is re-authentication at the time of purchase by, for example, requiring customers to re-enter a credit card number or security code. It is critically important that re-authentication be required for every method of payment that a business accepts. The OAG encountered many cases in which attackers were able to exploit gaps in fraud protection by making a purchase using a payment method that did not require re-authentication. 
  • Businesses should have a written incident response plan that includes processes for responding to credential stuffing attacks. The processes should include investigation (e.g., determining whether and which customer accounts were accessed), remediation (e.g., blocking attackers’ continued access to impacted accounts), and notice (e.g., alerting customers whose account were reasonably likely to have been impacted).