Security Bloggers Network 
SBN

Office of the New York State Attorney General Releases Results of Credential Stuffing Investigation

by PerimeterX Blog on January 6, 2022
Credential Stuffing

On January 5, 2022, the Office of the New York State Attorney General (OAG) issued a report detailing the growing threat of credential stuffing attacks on businesses and consumers. The Office compiled information on username and password pairs from 17 well known online retailers, restaurant chains and food delivery services. This yielded more than 1.1 million accounts that were compromised in credential stuffing attacks.

The OAG reviewed and evaluated the effectiveness of a wide range of safeguards used to protect against automated credential stuffing attacks. Their report outlines some concrete steps that digital businesses can put in place to enhance their security stance and better secure the personally identifiable information (PII) of their customers. These included bot detection, multi-factor authentication and passwordless authentication.

Credential Stuffing is on the Rise

In credential stuffing attacks, hackers use bots to quickly test stolen credentials on popular sites. These attacks are easy to carry out with little technical knowledge. According to the OAG, “attackers typically use free, easily accessible software capable of transmitting hundreds or thousands of login attempts simultaneously without human intervention.” The sheer volume of attempts means that hackers will likely walk away with a decent number of valid pairs even if the majority of their attempts fail.

And, unfortunately, credential stuffing is just the beginning. These attacks are almost always a first step in an account takeover (ATO): an attack in which hackers gain unauthorized access to a user account. From there, they can make fraudulent purchases using stored credit cards, steal gift cards and loyalty points, submit fake warranty claims and credit applications and commit other types of fraud — or sell the valid credentials on the dark web for others to use.

A recent investigation found that there are more than 15 billion user credentials up for (Read more...)

*** This is a Security Bloggers Network syndicated blog from PerimeterX Blog authored by PerimeterX Blog. Read the original post at: https://www.perimeterx.com/resources/blog/2022/office-of-the-new-york-state-attorney-general-releases-results-of-credential-stuffing-investigation/

PerimeterX Blog