New York's lawmakers have warned some of the top online companies that customers may have had login information stolen, and urged them to notify those affected immediately.
The New York State Office of the Attorney General (NY OAG) notified 17 “well-known” companies that more than a million of their customers have had their accounts compromised in credential stuffing attacks. These include online retailers, restaurant chains, and food delivery services, although no specific names were revealed.
While conducting a “sweeping investigation” that lasted many months, OAG monitored multiple online forums where malicious actors shared valid login credentials stolen in previously unknown stuffing attacks.
"In all, the OAG collected credentials for more than 1.1 million customer accounts, all of which appeared to have been compromised in credential stuffing attacks,” OAG allegedly said.
"Following discovery of the attacks, the Office of the Attorney General (OAG) alerted the relevant companies so that passwords could be reset and consumers could be notified."
New York Attorney General Letitia James added that businesses have the responsibility to move and protect their customers’ online activities.
“We must do everything we can to protect consumers’ personal information and their privacy," she concluded.
Credential stuffing is a type of cyberattack in which the attackers “stuff” the target service, such as a social media platform, with millions of accounts stolen elsewhere (for example, if a e-retailer's database gets infected with malware ). They are able to submit millions of credentials almost instantly, thanks to automated solutions. The attacks are used to different ends, including identity theft, or even ransomware attacks.
The practice is extremely widespread, due to countless credentials circulating around the web, as well as the fact that many people often use the same login information (usernames, emails, as well as passwords) across numerous services, as it’s easier to remember and more convenient to use. According to James, there are currently 15 billion stolen credentials that circulate online.
- You might want to check out our list of the best firewalls right now