New York City skyline with skyscrapers at sunset showing credential stuffing attacks with compromised credentials

AG of New York: Investigation Uncovered 1.1 Million Compromised Accounts Used for Credential Stuffing Attacks Against 17 Online Companies

The Office of the Attorney General (OAG) of New York has issued a warning to 17 companies after an investigation turned up 1.1 million compromised accounts. The stolen logins were put to use in credential stuffing attacks against a variety of “well-known” online retail, food and delivery businesses.

OAG says that each of the companies it notified has already opened an investigation and taken immediate steps to protect customers with compromised accounts. The investigation took place over several months and involved monitoring dark web forums in which credentials are bought and sold.

Credential stuffing campaigns continue to plague online sellers

New York Attorney General Letitia James announced the results of the investigation on January 5. The OAG says that it monitored several online communities dealing in compromised accounts over a period of several months, reviewing thousands of posted messages that contained stolen credentials. OAG reports that these accounts were compromised by credential stuffing attacks, which primarily rely on the tendency of internet users to re-use passwords for multiple accounts.

Some of the companies that OAG notified reported that their investigations indicated that most of these attacks had not previously been detected. OAG says that it actively worked with these companies to determine how their defenses were penetrated and to provide security recommendations for future improvements, something that nearly all of the companies committed to.

The investigation also led OAG to compile a “Business Guide for Credential Stuffing Attacks” based on information gleaned from the dark web sources. Some specific safeguards against credential stuffing that the paper recommends include bot detection systems, required multi-factor authentication for employee logins, a move to passwordless authentication, and web application firewalls as a first-line defense.

Saryu Nayyar, CEO and Founder of Gurucul, elaborates on what these advanced modern tools should be capable of: “Security operations must rely on advanced machine learning and analytics that are increasingly sophisticated to pre-emptively identify breaches and prevent credential theft. In addition, once this data is made available to threat actors, identity profiling and behavioral analytics are the best approach when combined with traditional XDR capabilities to determine if stolen credentials are being misused within an organization.”

OAG also emphasized that no safeguard is 100% effective, so businesses should employ additional layers of detection and authentication methods. These include monitoring customer traffic for warning signs (such as unusual spikes in failed login attempts), a re-authentication prompt at the time of purchase, and the development of a written incident response plan for credential stuffing attempts.

Sam Jones, VP of Product Management for Stellar Cyber, thinks that this attack type is not going away until the password as standard account security measure does: “Exposed credentials are unfortunately the norm, and likely will be until the username and password paradigm is eliminated. The best practice for enterprises to prevent credential stuffing is to stick to the basics – enforce strong MFA and go passwordless if possible. For end users, given we still live in a password world, the best thing you can do is ensure you don’t reuse passwords across services.”

Dave Pasirstein, Chief Product Officer and Head of Engineering at TruU, also endorses this view: “The primary countermeasure to credential stuffing is multifactor authentication (MFA), and one of the best multifactor approaches to eliminate the credential stuffing attack vector is passwordless MFA.”

Credential stuffing amplifies data leaks and breaches by creating more compromised accounts

The New York OAG estimates there are some 15 billion compromised accounts being circulated across the internet, and that number has increased exponentially thanks in large part to credential stuffing attacks. One compromised username and password leaked in a data breach could turn into five, ten or even a hundred if that person re-uses those credentials across multiple sites.

Nasser Fattah, North America Steering Committee Chair for Shared Assessments, points out that most businesses still do not have their hands around the scope of available compromised accounts and personal data in the criminal underground: “Companies not doing threat intelligence simply fail to realize how much of their information, including customer information, is out there. Information such as credentials, account numbers, and other sensitive information. And many times the available information stems from a breach that might have happened elsewhere. For example, customers’ credentials – the same ones used to log on to financial, medical, and other sensitive sites – are being leaked from other sites, such as social media.”

Credential stuffing attacks are usually a bit more sophisticated than the traditional “brute force” attack trying the contents of a dictionary file against a login prompt. They are usually driven by bots, which spread the login attempts around geographically, create fake IP addresses and space out the use of particular usernames in an attempt to avoid automated defenses. The OAG points out that these attacks are based on lists of thousands, sometimes millions, of compromised accounts usually gathered together from previous breaches. Credential stuffing now focuses on finding places to reuse known good passwords rather than trying to blindly guess into an account.

In its talks with businesses about improving security measures, OAG found that a substantial amount had implemented the necessary tools but were using them the wrong way; for example, over 140,000 businesses had adopted multi-factor authentication but had set it up incorrectly. Another common mistake was misidentifying credential stuffing attacks as attempted denial-of-service (DDoS) attacks; engineers sometimes assume it is an ineffective attempt at a DDoS and turn their attention elsewhere.

Credential stuffing attacks have been on the rise in recent years, with some 193 billion attempts globally in 2020 (an increase of about 45% from 2019). The prolonged pandemic has fueled cyber crime of nearly all types, but credential stuffing has been given a particular boost by the increasing tendency of underground hackers to collate the contents of data breaches and even make them searchable for credential matches.

OAG monitored several online communities dealing in compromised accounts over a period of several months, reviewing thousands of posted messages that contained stolen credentials. #cybersecurity #respectdataClick to Tweet

Prior research has found that certain industries experience more credential stuffing attempts than others. Both digital and legacy media are the most popular targets for these attacks; video sharing sites were the #1 target in 2019 (according to research from Akamai), but newspapers and magazines were also quite popular. Attackers are usually seeking credit cards or digital payment information left on file, but may also settle for personal contact information that could be leveraged for phishing or other targeted scams. Some countries weather more of these types of attacks than others as well; the United States is the most popular target followed by France, Russia, the Netherlands and Germany.