Hackers Stole 1.1 million Customer Credentials From 17 Companies, NY OAG Announces

Earlier this week, New York’s State Office of the Attorney General (OAG) announced that attackers compromised the accounts of 1.1 million customers of 17 popular companies through credential stuffing attacks.

The NY OAG monitored several online communities where validated credentials were shared among users, and started a “sweeping investigation” that lasted several months. Reportedly, the credentials come from several undetected credential stuffing attacks.

In a credential stuffing attack, perpetrators try to connect to user accounts using login information stolen from various other online services. The attempts can number in the millions, boosting the efficacy of the attack.

The attackers’ goal is to validate and harvest as many credentials as they can, retrieve financial information if possible, and sell the collected data on various marketplaces, such as the dark web, or hacking forums.

However, attackers can also benefit by using the credentials directly in unauthorized purchases or identity theft scams.

Users who set the same password for several online services are most vulnerable to this type of attack. It makes perfect sense, considering that the attack consists of trying to log into an account on a specific platform by using credentials from other online services.

How to avoid credential stuffing attacks

Seeing as the attack targets users who rely on identical username or email/password combinations for several online platforms, the most obvious way to fend off this threat is to use unique credentials for each service for which you create an account.

Another equally effective method is to enable MFA (Multi-Factor Authentication) whenever possible, thus adding extra layers of protection between attackers and your account.

It’s best to stick with possession-based or biometric MFA methods such as authenticator apps, fingerprint scanners, physical tokens and SMS codes from pre-registered mobile phone numbers rather than using security questions, which can be easily social engineered.

Last but not least, you can turn to a trustworthy service to screen for leaked credentials such as Bitdefender Digital Identity Protection. Our service performs online scans for unauthorized leaks of your personal data, monitors if your accounts have been compromised, and helps you take action before perpetrators gain access to your data.