Account Takeover Fraud , Cybercrime , Cybercrime as-a-service
New York Warns Credential Stuffing Hit 1 Million AccountsCompromised Accounts Linked to 'Well-Known' Restaurants, Food Delivery, Retailers
The Office of the New York State Attorney General on Wednesday released findings of an investigation of credential stuffing attacks, revealing that some 1.1 million online accounts had been compromised in cyberattacks. The investigation focused on account services linked to 17 "well-known" companies, which went unnamed in the report, ranging from food delivery services to online retail outlets, according to the Attorney General's office.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
"Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users' personal information stand in jeopardy," says Attorney General Letitia James, who added that businesses have a responsibility to protect customers and prepare an incident response plan.
Additionally, James' office said that it had notified the companies involved in the investigation, providing required time frames for cited companies to issue alerts to customers and reset passwords.
In an effort to help businesses safeguard consumers' personal information, James' office also released a Business Guide for Credential Stuffing Attacks to use as a companion to mitigate the risks her office discovered. The guide outlines detection techniques, as well as effective tools and security strategies, to assist organizations in fighting against credential stuffing, one of the more common and often inescapable attack methods.
The guide also explains how password reuse across multiple sites elevates the risk of cybercrime, as compromised credentials are then resold on darknet forums, compounding the scope of the attack.
"In a typical credential stuffing attack, an attacker may submit hundreds of thousands, or even millions, of login attempts using automated, credential-stuffing software and lists of stolen credentials downloaded from the dark web or hacking forums," James' office said on Wednesday, emphasizing that while most attacks are unsuccessful, a single attack could return thousands of compromised accounts.
Most Attacks Undetected
Due to a recent rise in credential stuffing, the AG's office launched an investigation to identify affected parties, James said. The months-long investigation compiled login credentials that had been utilized by attackers from various online communities.
After notifying the companies, authorities also discovered that "most of the attacks" - although, the office did not reveal the exact number - had gone undetected. Each company affected agreed to implement, or made plans to implement, proper incident response and mitigation plans, James' office said in relaying the results of their investigation.
ISMG reached out to her office for further technical details, but did not receive a response by the time of publication.
Safeguarding the 'Unavoidable'
"Credential stuffing attacks have become so prevalent that they are, for most businesses, unavoidable," the attorney general's new guide states. It also indicates that more than 140,000 businesses had incorrectly implemented multifactor authentication, one of the recommendations laid out by James' office.
According to the guide, aside from MFA, the top recommendations to fend off credential stuffing include implementing bot detection, such as CAPTCHA, password-less authentication, blocking dangerous IP addresses, and preventing customers from using a password if it has been compromised in the past.
The Business Guide also recommends each business provide "a written incident response plan," outlining investigation, remediation, and customer notification protocols, to comply with local and federal laws.
Sam Jones, vice president of product management at the firm Stellar Cyber, agrees that enforcing MFA and going password-less, as well as not reusing passwords in an end-user's case, will help prevent credential stuffing.
"Exposed credentials are unfortunately the norm, and likely will be until the username and password paradigm is eliminated," he says.
And Chris Olson, CEO of the digital security firm The Media Trust, believes that even though credential stuffing is "old hat," it continues to be an effective strategy for cybercriminals.
"While consumers are responsible for their data, enterprises have a responsibility to safeguard it when input or surreptitiously collected via their websites or mobile apps," he says, explaining that adopting safety strategies that protect customers will result in "tangible results in their bottom line."
Overcoming Investigation Bias
In addition to specifics around mitigation tactics, the attorney general discovered, in a recent data breach investigation of another prominent company, that engineers mistakenly identified a credential stuffing attack as a denial-of-service attack, which could explain why attacks went undetected or perhaps brushed aside.
"Businesses should ensure that appropriate personnel are trained to recognize the signs of a credential stuffing attack," the new guide reads.
Keith Chapman, cybersecurity specialist for technology solutions firm Infocitex Corporation, says these issues may be exacerbated by alert fatigue, noting: "At times responders have alert fatigue, a condition when the number of alerts seems overwhelming, which may introduce blind spots into the investigation."