[BreachExchange] Attorney general alerts 17 companies to 'credential stuffing' cyberattacks impacting more than 1.1 million consumers

[Terrell Byrd]

https://www.wnypapers.com/news/article/current/2022/01/05/149235/attorney-general-alerts-17-companies-to-credential-stuffing-cyberattacks-impacting-more-than-1.1-million-consumers

New York Attorney General Letitia James on Wednesday announced the results
of what her team called “sweeping investigation into ‘credential stuffing’
that discovered more than 1.1 million online accounts compromised in
cyberattacks at 17 well-known companies.”

James released a “Business Guide for Credential Stuffing Attacks” that
details the attacks – which involve repeated, automated attempts to access
online accounts using usernames and passwords stolen from other online
services – and how business can protect themselves.

A press release stated, “ ‘Credential stuffing’ has quickly become one of
the top attack vectors online. Virtually every website and app use
passwords as a means of authenticating its users. Unfortunately, users tend
to reuse the same passwords across multiple online services. This allows
cybercriminals to use passwords stolen from one company for other online
accounts. Following discovery of the attacks, the office of the attorney
general (OAG) alerted the relevant companies so that passwords could be
reset and consumers could be notified. Today’s guide shares lessons learned
over the course of the OAG’s investigation, including concrete guidance on
steps businesses can take to better protect against ‘credential stuffing’
attacks.”

James said, “Right now, there are more than 15 billion stolen credentials
being circulated across the internet, as users’ personal information stand
in jeopardy. Businesses have the responsibility to take appropriate action
to protect their customers’ online accounts, and this guide lays out
critical safeguards companies can use in the fight against ‘credential
stuffing.’ We must do everything we can to protect consumers’ personal
information and their privacy.”

What is ‘Credential Stuffing’?

The OAG said “Credential stuffing” is “a type of cyberattack that involves
attempts to log in to online accounts using username and passwords stolen
from other, unrelated online services. It relies on the widespread practice
of reusing passwords as, chances are, a password used on one website was
also used on another.

“In a typical ‘credential stuffing’ attack, an attacker may submit hundreds
of thousands, or even millions, of login attempts using automated,
‘credential-stuffing’ software and lists of stolen credentials downloaded
from the dark web or hacking forums. Although only a small percentage of
these attempts will succeed, through the sheer volume of login attempts, a
single attack can nevertheless yield thousands of compromised accounts.

“An attacker that gains access to an account can use it in any number of
ways. The attacker can, for example, view personal information associated
with the account, including a name, an address, and past purchases, and use
this information in a phishing attack. If the account has a stored credit
card or gift card, the attacker may be able to make fraudulent purchases.
Or the attacker could simply sell the login credentials to another
individual on the dark web.

“ ‘Credential stuffing’ is one of the most common forms of cyberattack. The
operator of one large content delivery network reported that it witnessed
more than 193 billion such attacks in 2020 alone.”

The OAG’s Investigation

In light of the growing threat of “credential stuffing,” the OAG launched
an investigation to identify businesses and consumers impacted by this
attack vector. Over a period of several months, the OAG monitored several
online communities dedicated to “credential stuffing.” The OAG found
thousands of posts that contained customer login credentials that attackers
had tested in a “credential stuffing” attack and confirmed could be used to
access customer accounts at websites or on apps. From these posts, the OAG
compiled credentials to compromised accounts at 17 well-known online
retailers, restaurant chains, and food delivery services. In all, the OAG
collected credentials for more than 1.1 million customer accounts, all of
which appeared to have been compromised in “credential stuffing” attacks.

The OAG alerted each of the 17 companies to the compromised accounts and
urged the companies to investigate and take immediate steps to protect
impacted customers. Every company did so. The companies’ investigations
revealed that most of the attacks had not previously been detected.

The OAG also worked with the companies to determine how attackers had
circumvented existing safeguards and provided recommendations for
strengthening their data security programs to better secure customer
accounts in the future. Over the course of the OAG’s investigation, nearly
all of the companies implemented, or made plans to implement, additional
safeguards.

The OAG’s Recommendations

The OAG stated, “ ‘Credential stuffing’ attacks have become so prevalent
that they are, for most businesses, unavoidable. Every business that
maintains online customer accounts should therefore have a data security
program that includes effective safeguards for protecting customers from
‘credential stuffing’ attacks.”

It offered safeguards that “should be implemented in each of four areas”:

Defending against “credential stuffing” attacks;
Detecting a “credential stuffing” breach;
Preventing fraud and misuse of customer information; and
Responding to a “credential stuffing” incident.
James’ guide presents specific safeguards that have been found to be
effective in each of these areas. Some highlights from the guide include
the following:

√ Three safeguards were found to be highly effective at defending against
“credential stuffing” attacks when properly implemented: 1) bot detection
services, 2) multifactor authentication, and 3) password-less
authentication.

√ Because no safeguard is 100% effective, it is critical that businesses
have an effective way of detecting attacks that have bypassed other
defenses and compromised customer accounts. Most “credential stuffing”
attacks can be identified by monitoring customer traffic for signs of
attacks (for example, spikes in traffic volume of failed login attempts).

√ One of the most effective safeguards for preventing attackers from using
customers’ stored payment information is reauthentication at the time of
purchase by, for example, requiring customers to reenter a credit card
number or security code. It is critically important that reauthentication
be required for every method of payment that a business accepts. The OAG
encountered many cases in which attackers were able to exploit gaps in
fraud protection by making a purchase using a payment method that did not
require reauthentication.

√ Businesses should have a written incident response plan that includes
processes for responding to “credential stuffing” attacks. The processes
should include investigation (e.g., determining whether and which customer
accounts were accessed), remediation (e.g., blocking attackers’ continued
access to impacted accounts), and notice (e.g., alerting customers whose
account were reasonably likely to have been impacted).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220105/3abdea41/attachment.html>