Credential Stuffing Compromises More Than 1.1 Million Online Accounts

A credential stuffing scheme has compromised more than 1.1 million online accounts in cyberattacks at 17 well-known companies.

That’s according to New York Attorney General Letitia James. Credential stuffing is a cyberattack  in which attackers use lists of compromised user credentials to breach into a system. Users tend to reuse the same passwords across multiple online services. This allows cybercriminals to use passwords stolen from one company for other online accounts.

New York Attorney General Letitia James

“Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy,” James said.

An attacker that gains access to an account can use it in any number of ways. The attacker can view personal information associated with the account, including a name, address and past purchases. They can use this information in a phishing attack. If the account has a stored credit card or gift card, the attacker may be able to make fraudulent purchases.

Moreover, the attacker could sell the login credentials to another individual on the dark web.

Credential Stuffing Investigation

The Office of the Attorney General (OAG) compiled credentials to compromised accounts at 17 well-known companies. Those include online retailers, restaurant chains and food delivery services. In all, the OAG collected credentials for more than 1.1 million customer accounts. All appeared to have been compromised in credential stuffing attacks.

The OAG alerted each of the 17 companies to the compromised accounts. It urged the companies to investigate and take steps to protect impacted customers. Every company did so. The companies’ investigations revealed that most of the attacks had not previously been detected.

In light of the growing threat of credential stuffing, the OAG launched an investigation to identify businesses and consumers impacted by this attack vector. Over a period of several months, the OAG monitored several online communities dedicated to credential stuffing. It found thousands of posts with customer login credentials that attackers had tested in a credential stuffing attack. Moreover, it confirmed the credentials could be used to access customer accounts at websites or on apps.

The OAG also worked with the companies to determine how attackers had circumvented existing safeguards and provided recommendations for strengthening their data security programs to better secure customer accounts in the future. Over the course of the OAG’s investigation, nearly all of the companies implemented, or made plans to implement, additional safeguards.

Easy Attack Vector

James McQuiggan is security awareness advocate at KnowBe4.

KnowBe4’s James McQuiggan

“With over 8.4 million passwords in the wild and over 3.5 billion of those passwords tied to actual email addresses, it provides a starting point and easy attack vector for cybercriminals to target various online sites that utilize accounts for their customers,” he said. “These types of attacks give access to personal information about the user, their tax information and of course, their Social Security numbers for them and possibly their immediate family. Additionally, cybercriminals recognize that many organizations or users will not implement additional security measures and use the same password across various website accounts.”

Organizations can protect their customers, users or employees by requiring a multifactor authentication (MFA) from an authenticator app or possibly an text message with a code needed to log in with the password, McQuiggan said.

“If users set up accounts with the previously exposed passwords, they are making it easy for cybercriminals to steal their data,” he said. “Users should ensure they are using strong passwords or passphrases for their various website accounts and, where available, MFA to secure their accounts. This way, in the event of a password credential stuffing attack, it will reduce their risk of exposure to losing their sensitive information.”

Stop Using Old Passwords

Users need to stop using old passwords that were involved in data breaches, McQuiggan said.

The easiest way to see if one’s accounts have been involved in a breach is to check HaveIBeenPwned.com, he said. It tracks email addresses and phone numbers that have been in data breaches over the past 15 years.

Sam Jones is vice president of product management at Stellar Cyber.

“The best practice for enterprises to prevent credential stuffing is to stick to the basics,” he said. “Enforce strong MFA and go passwordless if possible. For end users, given we still live in a password world, the best thing you can do is ensure you don’t reuse passwords across services.”