NEW YORK (NEWS10) – The Office of the Attorney General (OAG) has collected credentials for more than 1.1 million customer accounts, of which appear to have all been compromised in credential stuffing attacks. OAG says its investigation, over a period of several months, has monitored several online communities dedicated to credential stuffing.
Credential stuffing is a type of cyberattack that attempts to access log-in to accounts online using passwords and usernames stolen from other unrelated online sources. This can be accomplished by an attacker by submitting hundreds of thousands, or even millions, of login attempts using an automated, credential-stuffing software along with lists of stolen credentials downloaded from the dark web or hacking forums.
Cyberattacks rely on the widespread practice of reusing passwords as, chances are, a password used on one website was also used on another. Officials say although a small percentage of these attempts will succeed, the sheer volume of single login attempts can nevertheless yield thousands of compromised accounts.
According to the OAG, it has discovered thousands of posts containing login credentials that had been tested in credential stuffing attacks on a website or app and have been confirmed to provide access to a customer account. OAG said members of these online communities were free to use these validated credentials to access the customer accounts or use them for their own credential stuffing attacks on other companies’ websites and apps.
The OAG compiled login credentials for customer accounts at 17 well-known companies, which included online retailers, restaurant chains, and food delivery services. OAG contacted each of the 17 companies to alert them to the compromised accounts which have asked each company to investigate and take steps to protect impacted customers.
Company officials say their investigations revealed that most of the attacks had not previously been detected. Over the course of the OAG’s investigation, nearly all of the companies implemented or made plans to implement additional safeguards.
An attacker that gains access to an account can use it in any number of ways officials say, for example, view personal information associated with the account, including a name, an address, and past purchases, and use this information in a phishing attack. If the account has a stored credit card or gift card, the attacker may be able to make fraudulent purchases. Or the attacker could simply sell the login credentials to another individual on the dark web.
OAG officials have made their recommendations that every business that maintains online customer accounts should therefore have a data security program that includes effective safeguards for protecting consumers from ‘credential stuffing attacks.’ Safeguards that should be implemented in each of four areas:
- Defending against credential stuffing attacks
- Detecting a credential stuffing breach
- Preventing fraud and misuse of customer information
- Responding to a credential stuffing incident
In addition, OAG officials’ presents specific guidelines and safeguards that have been found to be effective in each of these areas. Some highlights from the guide include the following:
- Bot detection services
- Multi-factor authentication
- Password-less authentication.
Because no safeguard is 100 percent effective, OAG says it is crucial that businesses have an effective way of detecting attacks that have bypassed other defenses and compromised customer accounts. A method that is critically important, officials say is the implementation of re-authentication to be required for every method of payment that a business accepts.
One of the most effective safeguards for preventing attackers from using customers’ stored payment information is re-authentication at the time of purchase by, for example, requiring customers to re-enter a credit card number or security code. Of its investigation, OAG encountered many cases in which attackers were able to exploit gaps in fraud protection by making a purchase using a payment method that did not require re-authentication.