On January 5, 2022, the New York Office of the Attorney General (“NY AG”) announced the results of an investigation into “credential stuffing,” which uncovered 1.1 million compromised accounts from cyberattacks on 17 well-known companies. The announcement included a “Business Guide for Credential Stuffing Attacks,” (the “Guide”) detailing the attacks and providing tips for businesses to protect themselves.

“Credential stuffing” refers to a type of cyberattack that typically involves repeated attempts to log in to online accounts using usernames and passwords stolen from other online services. These attacks rely on the fact that many people reuse the same credentials across various online accounts and platforms. Although most log-in attempts in a credential stuffing attack will fail, a single attack can nevertheless compromise thousands of accounts. In its announcement, the NY AG noted that one company “witnessed more than 193 billion such attacks in 2020 alone.”

Out of concern over this growing threat, the NY AG launched an investigation to identify businesses and consumers impacted by credential stuffing attacks. Over a period of several months, the NY AG monitored a number of online credential-stuffing communities. The NY AG found thousands of posts containing customer log-in credentials gained from credential stuffing attacks, which had been tested and confirmed as usable. From these posts, the NY AG identified credentials belonging to 1.1 million compromised accounts from 17 well-known online retailers, restaurant chains and food delivery services.

Based on its findings, the NY AG developed the Guide to offer business concrete guidance on steps they can take to better protect themselves against credential stuffing attacks. The Guide recommends that businesses develop a data security program centered around safeguards in four key areas:

  1. Defending against credential stuffing attacks;
  2. Detecting a credential stuffing breach;
  3. Preventing fraud and misuse of customer information; and
  4. Responding to a credential stuffing incident.

According to the Guide, businesses should defend against credential stuffing attacks using bot detection systems, multi-factor or password-less authentication, and a variety of web application firewalls. The Guide further recommends that businesses implement incident detection procedures, such as monitoring customer activity and fraud reports, notifying customers of unusual or significant account activity, and seeking the help of third-party threat intelligence firms. The Guide also suggests that businesses have in place fraud prevention safeguards and an incident response plan to mitigate the effects of a successful attack.