Credential Stuffers Compromised 1.1 Million Accounts
Credential stuffers have compromised over a million customer accounts linked to 17 well-known companies, New York’s attorney general has confirmed.
Letitia James yesterday announced the results of a “sweeping” investigation into the practice, in which hackers use automated software to try breached log-ins across multiple accounts simultaneously to see if any fit.
Once inside the accounts, they look for personal and financial information to steal and/or try to buy goods with saved cards fraudulently.
As James said in her notice, the practice is made possible because many people use the same passwords across multiple online accounts.
New York’s Office of the Attorney General (OAG) has alerted the relevant companies so they can reset passwords and notify affected customers, claiming most of the malicious activity had not been detected.
It also released a guide outlining how organizations can detect, defend against and respond to credential stuffing attacks and prevent any follow-on fraud.
Bot detection services were recommended as an effective way to spot and block such attacks, as threat actors typically use these automated applications.
The OAG also urged firms to offer customers multi-factor and passwordless authentication options to foil their attackers. This means that hackers cannot access