Seventeen companies have been informed of cyberattacks that compromised user information by New York Attorney General Letitia James following an investigation into credential stuffing. More than 1 million customer accounts were compromised due to the attacks, which James said were previously undetected. 

There have been more than 1.1 million online accounts compromised in a series of credential-stuffing attacks against 17 different companies.

New York Attorney General Letitia James said her office discovered the breaches after spendings months monitoring several online communities dedicated to credential stuffing.

The OAG discovered login credentials for customer accounts at 17 “well-known companies.” While the companies were not named, sectors included online retailers, restaurant chains, and food delivery services.

James said her office was releasing a guide for businesses on how they can deal with credential stuffing attacks, noting that the practice has “quickly become one of the top attack vectors online.”

“Right now, more than 15 billion stolen credentials are being circulated across the internet, as users’ personal information stands in jeopardy,” says Attorney General Letitia James, who added that businesses have a responsibility to protect customers and prepare an incident response plan.

Credential-stuffing attacks, such as last year’s attack on Spotify, use automated scripts to try high volumes of usernames and password combinations against online accounts to take them over. Once in, cybercriminals can use the compromised accounts for various purposes: As a pivot point to penetrate deeper into a victim’s machine and network; to drain accounts of sensitive information (or monetary value); and if it’s an email account, they can impersonate the victim for attacks on others.

James also said businesses need to institute re-authentication for customer payment information as a way to prevent attackers from gaining access to sensitive information. 

The Ponemon Institute’s Cost of Credential Stuffing report found that businesses lose an average of $6 million per year to credential stuffing in the form of application downtime, lost customers, and increased IT costs.

In May 2021, Akamai said it saw more than 193 billion requests throughout 2020 that could be classified as credential stuffing attacks.

This is not the first government-issued alert regarding the risks of credential stuffing attacks. In 2020, the FBI sent a private industry notification that warned of attacks against the U.S. financial sector. According to the notification, “since 2017 the FBI had received reports on credential stuffing attacks against U.S. financial institutions, collectively detailing nearly 50,000 compromised accounts.” Now, it appears that the number is growing.