Credential stuffers have compromised over a million customer accounts linked to 17 well-known companies, New York’s attorney general has confirmed.
Letitia James yesterday announced the results of a “sweeping” investigation into the practice, in which hackers use automated software to try breached log-ins across multiple accounts simultaneously to see if any fit.
Once inside the accounts, they look for personal and financial information to steal and/or try to buy goods with saved cards fraudulently.
As James said in her notice, the practice is made possible because many people use the same passwords across multiple online accounts.
New York’s Office of the Attorney General (OAG) has alerted the relevant companies so they can reset passwords and notify affected customers, claiming most of the malicious activity had not been detected.
It also released a guide outlining how organizations can detect, defend against and respond to credential stuffing attacks and prevent any follow-on fraud.
Bot detection services were recommended as an effective way to spot and block such attacks, as threat actors typically use these automated applications.
The OAG also urged firms to offer customers multi-factor and passwordless authentication options to foil their attackers. This means that hackers cannot access accounts even if they obtain a password.
Cyber-criminals ramped up their credential stuffing activity during the pandemic. Akamai detected 193 billion such attempts globally in 2020, including a 45% increase in attacks on the financial sector.
However, the retail, hospitality and travel sectors are most frequently hit.
In 2020, the same vendor released research claiming that 60% of attacks detected over the previous two years were aimed at these verticals, with retail accounting for over 90% of the total.
That’s because these accounts often have saved store cards which can be used in follow-on fraud and can be poorly protected compared to, say, online bank accounts.