Last Updated on 07/01/2022 by Sanskriti
Attorney General Letitia James of New York says her office has notified 17 companies about ‘credential stuffing’ cyber intrusions that have affected over 1.1 million people.
Credential stuffing is a sort of cyberattack in which attackers try to log into internet accounts with stolen credentials. These credentials are either stolen from unrelated internet businesses or disclosed through data breaches.
Poor password procedures are one of the main causes for the success of such assaults. Passwords that are reused across many accounts are utilized by attackers.
When an attacker gains access to a user’s account, they can see personal information such as the user’s name, address, and previous purchases.
The attackers may be able to conduct fraudulent purchases if a credit card or gift card is saved in the account.
Alternatively, attackers might profit financially by selling credentials on dark web forums.
In a news release, the OAG stated that over the last several months, credential stuffing attacks have targeted roughly 17 well-known online retailers, restaurant chains, and food delivery services.
After looking through thousands of posts containing credentials for over 1.1 million client accounts, the office was able to corroborate the attacks.
The affected businesses were tasked with conducting an investigation and taking prompt steps to protect their consumers’ information.
Because of the increasing incidence of credential stuffing assaults in enterprises, the OAG has recommended businesses implement a strong data security programme. It also recommended putting in place mechanisms to defend, detect, avoid, and respond to such attacks.
The implementation of multi-factor authentication for various accounts is one of the recommended measures. Credential stuffing attacks can be thwarted via traffic monitoring tools that detect surges in failed login attempts. The study has other recommendations.
“Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy,” said Attorney General James. “Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy.”