NY AG Warns Credential Stuff Compromised 1.1M Accounts
New York Attorney General Letitia James has put 17 companies on notice that 1.1 million online accounts have been compromised by cyberattacks involving credential stuffing.
In a “Business Guide for Credential Stuffing Attacks” that described her office’s investigation, the AG provided details on the attacks and how, through automated attempts using usernames and passwords nicked from other online services, the attackers tried to gain access to online accounts.
“Credential stuffing has quickly become one of the top attack vectors online,” a release from James’s office said. The release explained that users and companies are more vulnerable to attack because not only do websites and apps rely on passwords to authenticate users but users often reuse passwords. Of course, that means that cybercriminals can use passwords they steal from one company to access online accounts at other organizations.
“This latest notice from New York’s attorney general highlights how bad password hygiene is,” said Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify. “Password hygiene should be part of education or social learning; once a child knows how to connect to the internet, they should be educated on how to use a password manager and it should be the default setting in our browsers.”
Reusing old or similar variations of passwords “is like leaving your front door open and inviting cybercriminals into your home—stop doing it now; otherwise, expect you will become a victim of cybercrime,” said Carson.
Cybercriminals have become adept at evading detection. “The most common tactic hackers use to avoid credential stuffing detection is to use a slew of different IP addresses,” said Ray Kelly, fellow at NTT Application Security. “While many sites have request throttling and blocking capabilities, the use of different IP addresses avoids the detection, thereby letting the cybercriminals try as many username and passwords as possible.”
Currently, “there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy,” James said in a release. “Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy.”
The guide put out by the New York AG’s office explained that attackers typically use automated credential-stuffing software, as well as stolen credentials lists gleaned from the dark web, to execute hundreds of thousands, or even millions, of logins. While most attempts will fail, those that are successful can yield a treasure trove of compromised accounts. Once in, the attackers can go in any number of directions with malicious intent. “The operator of one large content delivery network reported that it witnessed more than193 billion such attacks in 2020 alone,” James’s office said.
“Like many people today, I have a neighborhood watch application which alerts me to things happening in my community. Oftentimes people will post videos of threat actors checking the locks on cars and home doors,” said Ron Bradley, vice president at Shared Assessments. “The manner in which you defend yourself against this activity depends on your risk tolerance. The same is true in business.”
That perimeter “doorknob” testing “is similar to the recent announcement by the New York Office of the Attorney General (OAG) on credential stuffing attacks against multiple organizations,” said Bradley. “The fact is, there are billions of compromised credentials easily available on the internet. Threat actors will constantly use these resources in an attempt to breach digital assets.”
In light of the growing threat of credential stuffing, the OAG launched an investigation to identify businesses and consumers impacted by this attack vector. Over a period of several months, the OAG monitored several online communities dedicated to credential stuffing. The OAG found thousands of posts that contained customer login credentials that attackers had tested in a credential stuffing attack and confirmed could be used to access customer accounts at websites or on apps. From these posts, the OAG compiled credentials to compromised accounts at 17 well-known online retailers, restaurant chains, and food delivery services. In all, the OAG collected credentials for more than 1.1 million customer accounts, all of which appeared to have been compromised in credential stuffing attacks.
The OAG alerted each of the 17 companies to the compromised accounts and urged the companies to investigate and take immediate steps to protect impacted customers. Every company did so. The companies’ investigations revealed that most of the attacks had not previously been detected.
“Companies not doing threat intelligence simply fail to realize how much of their information, including customer information, is out there. Information such as credentials, account numbers and other sensitive information,” said Nasser Fattah, North America steering committee chair, Shared Assessments. With a thriving underground for credential stuffing, “not knowing in this case, ‘What information about my company and customers are out there?’, can be very harmful.”
The OAG also worked with the companies to determine how attackers circumvented existing safeguards and provided recommendations for strengthening their data security programs to better secure customer accounts in the future. Over the course of the OAG’s investigation, nearly all of the companies implemented or made plans to implement additional safeguards.
The protective measures the AG recommended fall into four buckets—defending against credential stuffing attacks; detecting a credential stuffing breach; preventing fraud and misuse of customer information and incident response (IR).
James’s team identified three safeguards they deemed “highly effective at defending against credential stuffing attacks when properly implemented”: Bot detection services, multi-factor authentication and passwordless authentication.
“Many passwords managers are free; start using them. Use unique long passwords such as passphrases and use a password manager to keep all your passwords unique but easy to use,” said Carson “For businesses, it is also important to move beyond password managers and start a journey to protecting privileged access.”
The AG’s office noted that while no safeguard is 100% effective, businesses must have “an effective way of detecting attacks that have bypassed other defenses and compromised customer accounts. Most credential stuffing attacks can be identified by monitoring customer traffic for signs of attacks—for example, spikes in traffic volume of failed login attempts.”
What’s more, the AG recommended that reauthentication should “be required for every method of payment that a business accepts. The OAG encountered many cases in which attackers were able to exploit gaps in fraud protection by making a purchase using a payment method that did not require reauthentication.” And an IR plan should be available—in writing—to outline the processes for responding to such attacks. “The processes should include investigation (e.g., determining whether and which customer accounts were accessed), remediation (e.g., blocking attackers’ continued access to impacted accounts) and notice (e.g., alerting customers),” the AG’s guidance noted.
“In this case, the importance of identity and access management (IAM) cannot be overstated. Organizations absolutely must enforce multiple layers of protection, especially when it comes to accessing sensitive data,” said Bradley.
“The equation to combat this issue is straightforward,” he said, and includes:
- Strong passwords are good, but passphrases are better.
- Privileged access should always be accompanied by multifactor authentication.
- Throttle internet-facing applications to prevent brute force login attempts.
- Detection and response mechanisms must be deployed and validated regularly.
“These are just a few of the fundamental controls needed to protect your data. It’s important to remember your digital asset boundary is like squeezing a balloon. You can tighten one side, but the other side expands,” said Bradley. “The challenge is finding that middle ground. When third parties are involved, the task becomes increasingly difficult as you must ensure they are following no less than the controls you’ve specified.”
