Seventeen companies have been informed of cyberattacks that compromised user information by New York Attorney General Letitia James following an investigation into credential stuffing. More than 1 million customer accounts were compromised due to the attacks, which James said were previously undetected. 

James said her office was releasing a guide for businesses on how they can deal with credential stuffing attacks, noting that the practice has “quickly become one of the top attack vectors online.” The 17 businesses affected include well-known online retailers, restaurant chains, and food delivery services.

The FBI said last year that credential stuffing attacks — which involve repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services — have been used to compromise 50,000 online bank accounts since 2017. Akamai released a report last year that found over 193 billion credential stuffing attacks occurred globally in 2020. 

“Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy,” said James. “Businesses have the responsibility to take appropriate action to protect their customers’ online accounts, and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy.”

The Office of the Attorney General (OAG) monitored online communities dedicated to credential stuffing and found thousands of posts containing customer login credentials that attackers had tested in a credential stuffing attack and confirmed could be used to access customer accounts at websites or websites on apps.

After contacting the companies, all 17 investigated the OAG’s findings and took steps to protect users. OAG said, “nearly” all of the companies “implemented, or made plans to implement additional safeguards.”

These safeguards include bot detection services, multi-factor authentication and password-less authentication. They also urged companies to monitor customer traffic for signs of credential stuffing attacks like spikes in traffic volume of failed login attempts.

James also said businesses need to institute re-authentication for customer payment information as a way to prevent attackers from gaining access to sensitive information. 

“It is critically important that re-authentication be required for every method of payment that a business accepts. The OAG encountered many cases in which attackers were able to exploit gaps in fraud protection by making a purchase using a payment method that did not require re-authentication,” the OAG said. 

“Businesses should have a written incident response plan that includes processes for responding to credential stuffing attacks. The processes should include investigation and notice.”

Two weeks ago, the UK National Crime Agency and National Cyber Crime Unit discovered a 225 million cache of stolen emails and passwords, eventually handing it over to HaveIBeenPwned, which tracks credentials stolen and/or leaked through past data breaches.