There have been more than 1.1 million online accounts compromised in a series of credential-stuffing attacks against 17 different companies, according to a New York State investigation.
Credential-stuffing attacks, such as last year’s attack on Spotify, use automated scripts to try high volumes of usernames and password combinations against online accounts in an effort to take them over. Once in, cybercriminals can use the compromised accounts for various purposes: As a pivot point to penetrate deeper into a victim’s machine and network; to drain accounts of sensitive information (or monetary value); and if it’s an email account, they can impersonate the victim for attacks on others.
Such attacks are often successful thanks to password reuse and the use of common/easy-to-guess passwords, like “123456.” And they’re costly: The Ponemon Institute’s Cost of Credential Stuffing report found that businesses lose an average of $6 million per year to credential stuffing in the form of application downtime, lost customer, and increased IT costs.
“With over 8.4 billion passwords in the wild and over 3.5 billion of those passwords tied to actual email addresses, it provides a starting point and easy attack vector for cybercriminals to target various online sites that utilize accounts for their customers,” said James McQuiggan, security awareness advocate at KnowBe4, via email. “These types of attacks give access to personal information about the user, their tax information and of course, their Social Security numbers for them and possibly their immediate family. Additionally, cybercriminals recognize that many organizations or users will not implement additional security measures and use the same password across various website accounts.”
To examine the extent of the problem, the Office of the AG embarked on a months-long examination of activity in underground cybercrime forums dedicated to credential stuffing.
“The OAG found thousands of posts that contained customer login credentials that attackers had tested in a credential stuffing attack and confirmed could be used to access customer accounts at websites or on apps,” according to a Wednesday media statement.
The 17 affected organizations are “well-known online retailers, restaurant chains and food delivery services,” the office added.
The OAG alerted the relevant companies so that passwords could be reset and consumers could be notified, it said. The companies’ own internal investigations revealed that most of the attacks had not previously been detected, so nearly all of the companies implemented, or made plans to implement, additional safeguards, including: bot detection services; multifactor authentication; and password-less authentication.
“Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy,” said New York Attorney General Letitia James. “Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy.”
Users should beware follow-on attacks as well, researchers added.
“Like many people today, I have a neighborhood-watch application which alerts me to things happening in my community,” said Ron Bradley, vice president of Shared Assessments, via email. “Oftentimes people will post videos of threat actors checking the locks on cars and home doors…this perimeter ‘doorknob’ testing is similar to the recent announcement by the New York OAG. The fact is, there are billions of compromised credentials easily available on the internet. Threat actors will constantly use these resources in an attempt to breach digital assets.”
How to Protect Against Credential-Stuffing Attacks
Bradley offered additional defender advice: “In this case, the importance of identity and access management (IAM) cannot be overstated. Organizations absolutely must enforce multiple layers of protection, especially when it comes to accessing sensitive data. The equation to combat this issue is straight forward.”
The ideal approach includes the following, he said:
- Strong passwords are good, but passphrases are better
- Privileged access should always be accompanied with multifactor authentication
- Throttle internet-facing applications to prevent brute-force login attempts
- Detection and response mechanisms must be deployed and validated regularly
“These are just a few of the fundamental controls needed to protect your data,” Bradley concluded. “It’s important to remember your digital asset boundary is like squeezing a balloon. You can tighten one side, but the other side expands. The challenge is finding that middle ground. When third parties are involved, the task becomes increasingly difficult as you must ensure they are following no less than the controls you’ve specified.”
Everyone should also stop using old passwords that were involved in data breaches, McQuiggan noted: “The easiest way to see if one’s accounts have been involved in a breach is to check the HaveIBeenPwned.com website, which tracks email addresses and phone numbers that have been in data breaches over the past fifteen years.”
Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.