New York Attorney General Warns Businesses About Credential Stuffing Attacks

  • New York AG Letitia James warned that more than 1.1 million online accounts were compromised in cyberattacks known as “credential stuffing attacks” at 17 well-known companies and released a guide with recommendations for how businesses can safeguard consumer accounts from such attacks.
  • According to the AG’s office, credential stuffing attacks involve the repeated and automated use of usernames and passwords stolen from online services in an effort to gain unauthorized access to online accounts at other, unrelated online services. Credential stuffing, which may involve the submission of millions of login attempts, is one of the most common forms of cyberattacks and the AG’s office warned that they are so prevalent as to be practically unavoidable.
  • The recommendations in the guide include implementing effective cybersecurity measures like deploying bot detection services, multi-factor authentication, and password-less authentication, requiring consumers to reenter information such as credit card numbers at each purchase, and preparing a written incident reporting plan that includes investigation, notification, and remediation protocols.