The New York Office of the Attorney General said this week that it identified and notified 17 well-known online retailers, restaurant chains, and food delivery services that have been the victims of credential stuffing attacks.
What Is Credential Stuffing?
Credential stuffing is a mode of cyberattack that involves attempts to log in to online accounts using username and passwords stolen from other online services. “It relies on the widespread practice of reusing passwords as, chances are, a password used on one website was also used on another,” describes the New York Office of The Attorney General.
Threatpost enlightens our technical understanding of credential stuffing: “Credential stuffing uses automated scripts to try high volumes of usernames and password combinations against online accounts in an effort to take them over. Once in, cybercriminals can use the compromised accounts for various purposes: As a pivot point to penetrate deeper into a victim’s machine and network; to drain accounts of sensitive information (or monetary value); and if it’s an email account, they can impersonate the victim for attacks on others.”
The Latest Credential Stuffing Episode
New York Attorney General Letitia James said her office discovered the breaches after monitoring online communities dedicated to credential stuffing. In this spate of attacks, 1.1 million user accounts were hacked and sold online.
“The OAG found thousands of posts that contained customer login credentials that attackers had tested in a credential stuffing attack and confirmed could be used to access customer accounts at websites or on apps,” James said.
The OAG worked with the compromised companies to determine how attackers circumvented existing safeguards and provided recommendations for strengthening data security programs to better secure customer accounts moving forward.
Of the 17 companies whose customer accounts were hacked, all took steps to both secure and notify the compromised accounts.
More Stuffing Statistics
The Ponemon Institute Cost of Credential Stuffing report reveals that organizations lose an average of $6 million per year to credential stuffing in the form of application downtime, lost customer, and increased IT costs.
A “large content delivery network” reported that it witnessed more than193 billion such attacks in 2020 alone.
Pause the music – well-known music streaming platform Spotify has experienced numerous credential stuffing attacks.
Combat Credential Stuffing Attacks
Like many people today, I have a neighborhood watch application which alerts me to things happening in my community. Oftentimes people will post videos of threat actors checking the locks on cars and home doors. The manner in which you defend yourself against this activity depends on your risk tolerance. The same is true in business.
The perimeter “door knob” testing is similar to the recent announcement by the New York Office of the Attorney General (OAG) on credential stuffing attacks against multiple organizations. The fact is, there are billions of compromised credentials easily available on the Internet. Threat actors will constantly use these resources in an attempt to breach digital assets.
In this case, the importance of Identity and Access Management (IAM) cannot be overstated. Organizations absolutely must enforce multiple layers of protection, especially when it comes to accessing sensitive data.
The equation to combat credential stuffing is straightforward:
- Strong passwords are good, but passphrases are better
- Privileged access should always be accompanied with multi-factor authentication
- Throttle Internet facing applications to prevent brute force login attempts
- Detection and response mechanisms must be deployed and validated regularly
These are just a few of the fundamental controls needed to protect your data. It’s important to remember your digital asset boundary is like squeezing a balloon. You can tighten one side, but the other side expands. The challenge is finding that middle ground. When third parties are involved, the task becomes increasingly difficult as you must ensure they are following no less than the controls you’ve specified.
See our glossary definition of a strong password or read more about protecting passwords here.