The accounts fell victim to credential-stuffing attacks, according to the New York State AG.
There have been more than 1.1 million online accounts compromised in a series of credential-stuffing attacks against 17 different companies, according to a New York State investigation.
Credential-stuffing attacks, such as last year’s attack on Spotify, use automated scripts to try high volumes of usernames and password combinations against online accounts in an effort to take them over. Once in, cybercriminals can use the compromised accounts for various purposes: As a pivot point to penetrate deeper into a victim’s machine and network; to drain accounts of sensitive information (or monetary value); and if it’s an email account, they can impersonate the victim for attacks on others.
Such attacks are often successful thanks to password reuse and the use of common/easy-to-guess passwords, like “123456.” And they’re costly: The Ponemon Institute’s Cost of Credential Stuffing report found that businesses lose an average of $6 million per year to credential stuffing in the form of application downtime, lost customer, and increased IT costs.
“With over 8.4 billion passwords in the wild and over 3.5 billion of those passwords tied to actual email