There have been more than 1.1 million online accounts compromised in a series of credential stuffing attacks against 17 different companies, according to a New York State investigation. Credential stuffing attacks, such as last year’s attack on Spotify, use automated scripts to try high volumes of usernames and password combinations against online accounts to take them over. Once in, cybercriminals can use the compromised accounts for various purposes: As a pivot point to penetrate deeper into a victim’s machine and network, to drain accounts of sensitive information (or monetary value), and if it’s an email account, they can impersonate the victim for attacks on others. Such attacks are often successful thanks to password reuse and the use of common/easy-to-guess passwords, like “123456.” These attacks are also costly. The Ponemon Institute’s Cost of Credential Stuffing report found that businesses lose an average of $6 million per year to credential stuffing in the form of application downtime, lost customers, and increased IT costs. “With over 8.4 billion passwords in the wild and over 3.5 billion of those passwords tied to actual email addresses, it provides a starting point and easy attack vector for cybercriminals to target various online sites that utilize accounts for their customers,” said James McQuiggan, security awareness advocate at KnowBe4. “These types of attacks give access to personal information about the user, their tax information, and of course, their Social Security numbers for them and possibly their immediate family. Additionally, cybercriminals recognize that many organizations or users will not implement additional security measures and use the same password across various website accounts.” To examine the extent of the problem, the Office of the Attorney General (OAG) embarked on a months-long examination of activity in underground cybercrime forums dedicated to credential stuffing. “The OAG found thousands of posts that contained customer login credentials that attackers had tested in a credential stuffing attack and confirmed could be used to access customer accounts at websites or on apps,” according to a Wednesday media statement. The 17 affected organizations are “well-known online retailers, restaurant chains and food delivery services,” the official added. The OAG alerted the relevant companies so that passwords could be reset, and consumers could be notified, it said. The companies’ own internal investigations revealed that most of the attacks had not previously been detected, so nearly all the companies implemented, or made plans to implement, additional safeguards, including bot detection services, multifactor authentication, and password-less authentication. “Right now, more than 15 billion stolen credentials are being circulated across the internet, as users’ personal information stands in jeopardy,” said New York Attorney General Letitia James. “Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy.”
Analyst Notes
There are a few fundamental controls organizations should implement to better protect themselves against credential stuffing attacks:
• Strong passwords are good, but passphrases are better
• Privileged access should always be accompanied with multifactor authentication
• Restrict internet-facing applications to prevent brute-force login attempts
• Detection and response mechanisms must be deployed and validated regularly
• If a password was found in a breach, that password should be changed immediately and never used on any login again
