Investigation showed that scammers manually access 91% of compromised accounts within a week, 50% within 12 hours, and used them to send bulk credential phishing messages.
The Office of the Attorney General of New York has recorded 1.1 million compromised accounts. The stolen logins were put to use in credential stuffing attacks against a variety of "well-known" online retail, food and delivery businesses.