Three tips for credential stuffing mitigation from the N.Y. State Attorney General’s Office

As originally published in SC Magazine

Three tips for credential stuffing mitigation from the N.Y. State Attorney General’s Office

At the beginning of the year, the Office of the New York State Attorney General (OAG) announced the findings of a recent investigation into credential stuffing. The OAG monitored online communities dedicated to selling stolen credentials and discovered more than 1.1 million customer accounts from 17 well-known online businesses had been compromised through credential stuffing attacks.

AWS Builder Community Hub

The study was released following a series of investigations and law enforcement actions led by the OAG aimed at protecting consumers and internet users from online identity theft and holding website owners accountable for not taking appropriate action to protect their customers from credential stuffing attacks.

Following the investigation, the OAG informed the affected businesses and each took steps to mitigate the attacks. However, the research does highlight the scale of the problem and how many organizations are suffering credential stuffing attacks without even knowing.

Credential stuffing happens when cybercriminals test stolen user credentials on websites with the aim of getting access to online accounts. Attackers understand that internet users tend to reuse the same passwords across their online accounts, so once they have one correct combination it will generally give them access to a whole host of sites.

These attacks are very easy to carry out, and through the use of bots and automation, attackers can scale their efforts, testing credentials against multiple sites at once, with very little human intervention. According to the OAG: attackers typically use free, easily accessible software capable of transmitting hundreds or thousands of login attempts simultaneously without human intervention. The sheer volume of attempts means that hackers will likely walk away with a decent number of valid username and password pairs even if most of their attempts fail.

Once attackers gain access to consumer accounts, they can perform account takeover (Read more...)

*** This is a Security Bloggers Network syndicated blog from PerimeterX Blog authored by PerimeterX Blog. Read the original post at: