NY Attorney General Recommends Safeguards against "Credential Stuffing" Cyberattacks

The New York Attorney General recommended safeguards to defend against "credential stuffing" after an investigation found widespread cyberattacks impacting more than 1.1 million consumers.

In the report, the Office of the Attorney General ("OAG") investigated "credential stuffing" attacks against businesses and consumers, in which hackers attempt to access customer accounts by utilizing stolen usernames and passwords from other online services. According to the OAG, credential stuffing is a common form of cyberattack. One content delivery network reported more than 193 billion attacks in 2020.

The OAG found more than 1.1 million account credentials from compromised accounts at 17 well-known online retailers. The companies were alerted and, at the urging of the OAG, took steps to investigate and protect impacted customers.

The OAG recommended safeguards designed to (i) defend against credential stuffing attacks, (ii) detect credential stuffing breaches, (iii) prevent fraud and the misuse of customer information, and (iv) respond to credential stuffing incidents. As a result of the investigation and subsequent cooperation with the OAG, nearly all of the companies implemented additional customer safeguards. The OAG also highlighted:

• the effectiveness of multi-factor and "passwordless" authentication and bot-detection services;

• the importance of breach-detection systems with respect to successful attacks that compromise customer accounts; and

• the need to have a written incident response plan for responding to credential stuffing attacks.