January 27, 2022

Volume XII, Number 27

Advertisement
Advertisement

January 26, 2022

Subscribe to Latest Legal News and Analysis

January 25, 2022

Subscribe to Latest Legal News and Analysis

January 24, 2022

Subscribe to Latest Legal News and Analysis

New York Attorney General Announces 1.1 Million Accounts Compromised in Credential Stuffing Attacks

On January 5, 2022, the New York Office of the Attorney General (“NY AG”) announced the results of an investigation into “credential stuffing,” which uncovered 1.1 million compromised accounts from cyberattacks on 17 well-known companies. The announcement included a “Business Guide for Credential Stuffing Attacks,” (the “Guide”) detailing the attacks and providing tips for businesses to protect themselves.

“Credential stuffing” refers to a type of cyberattack that typically involves repeated attempts to log in to online accounts using usernames and passwords stolen from other online services. These attacks rely on the fact that many people reuse the same credentials across various online accounts and platforms. Although most log-in attempts in a credential stuffing attack will fail, a single attack can nevertheless compromise thousands of accounts. In its announcement, the NY AG noted that one company “witnessed more than 193 billion such attacks in 2020 alone.”

Out of concern over this growing threat, the NY AG launched an investigation to identify businesses and consumers impacted by credential stuffing attacks. Over a period of several months, the NY AG monitored a number of online credential-stuffing communities. The NY AG found thousands of posts containing customer log-in credentials gained from credential stuffing attacks, which had been tested and confirmed as usable. From these posts, the NY AG identified credentials belonging to 1.1 million compromised accounts from 17 well-known online retailers, restaurant chains and food delivery services.

Based on its findings, the NY AG developed the Guide to offer business concrete guidance on steps they can take to better protect themselves against credential stuffing attacks. The Guide recommends that businesses develop a data security program centered around safeguards in four key areas:

  1. Defending against credential stuffing attacks;

  2. Detecting a credential stuffing breach;

  3. Preventing fraud and misuse of customer information; and

  4. Responding to a credential stuffing incident.

According to the Guide, businesses should defend against credential stuffing attacks using bot detection systems, multi-factor or password-less authentication, and a variety of web application firewalls. The Guide further recommends that businesses implement incident detection procedures, such as monitoring customer activity and fraud reports, notifying customers of unusual or significant account activity, and seeking the help of third-party threat intelligence firms. The Guide also suggests that businesses have in place fraud prevention safeguards and an incident response plan to mitigate the effects of a successful attack.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XII, Number 12
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement