The Office of the Attorney General of New York has recorded 1.1 million compromised accounts. The stolen logins were put to use in credential stuffing attacks against a variety of "well-known" online retail, food and delivery businesses.
Investigation showed that scammers manually access 91% of compromised accounts within a week, 50% within 12 hours, and used them to send bulk credential phishing messages.