Bureau of Internet and Technology helped affected organizations secure accounts and bolster defenses

New York Attorney General flags 1.1 million online accounts compromised by credential stuffing attacks

More than 1.1 million online customer accounts at 17 “well-known” businesses were compromised via credential stuffing attacks, an investigation by the New York State Office of the Attorney General (OAG) has found.

The OAG said all the affected organizations – which include online retailers, restaurant chains, and food delivery services – implemented remedial measures upon being notified, such as alerting affected individuals and resetting passwords.

The companies’ own investigations subsequently revealed that most of the attacks had not previously been detected.

Simple and effective attack

Credential stuffing attacks use specialized software to ‘stuff’, at high velocity, thousands or millions of username-password combinations gleaned from data breach dumps into sign-in pages.

Also called a ‘password reuse’ attack, the mostly automated technique is both comparatively simple and, since around two in three internet users (PDF) use the same login details across multiple online accounts, highly effective.

READ MORE Credential stuffing attacks: How to protect your accounts from being compromised

After hijacking online accounts, attackers can then steal victims’ identities and potentially bypass more stringent authentication processes implemented by banks and other custodians of high value assets.

Content delivery network Akamai observed more than 193 billion (PDF) credential stuffing attacks in 2020 alone.

Months-long investigation

During an investigation lasting several months, the OAG’s Bureau of Internet and Technology monitored several online cybercrime communities dedicated to credential stuffing.

The bureau compiled credentials that attackers had successfully compromised using the account takeover technique after trawling thousands of posts.

Affected organizations were then helped to determine how existing safeguards had been circumvented and given recommendations for preventing recurrences.

“Nearly all” of the 17 affected companies have since implemented, or devised plans to implement, additional safeguards, said the OAG in a press release issued yesterday (January 5).


In a guide (PDF) published to help New York State businesses protect their customers from credential stuffing attacks, the OAG said the most effective safeguards were bot detection services, multi-factor authentication, and passwordless authentication.

The OAG also urged e-commerce platforms to make purchases contingent on the re-authentication of credit card details, having encountered many instances where the absence of such a mechanism had resulted in fraudulent purchases.

Catch up on the latest cyber-attack news and analysis

Incident response plans, meanwhile, should include processes for ascertaining whether and which accounts have been breached, blocking attackers’ continued access to impacted accounts, and notifying potentially affected customers.

“Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy,” said New York Attorney General Letitia James.

“Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing.”

YOU MAY ALSO LIKE Web skimming attacks on hundreds of real estate websites deployed via cloud video hosting service