New York Attorney General Issues Business Guide for Credential Stuffing Attacks

The Bureau of Internet and Technology at the Office of the New York State Attorney General (OAG) has issued a Business Guide for Credential Stuffing Attacks to raise awareness of the threat and offer advice on steps that can be taken to prevent and mitigate attacks.

Credential stuffing is a type of brute force attack where credentials stolen in previous data breaches are used to gain access to other online accounts. Bots are used to automate the process and attempts are made to access accounts using large numbers of stolen credentials until the right combination is guessed. This tactic relies on password reuse across multiple platforms. The attackers are well aware that many individuals reuse passwords on several different platforms. A compromised password on one account is likely to allow access to several others. One attacker can easily make hundreds of thousands of login attempts against a single web service to try to gain access to user accounts, with next to no manual effort required.

The guide was released following a 7-month OAG investigation which involved monitoring online communities dedicated to credential stuffing. Thousands of posts were identified that included login credentials that had been tested in credential stuffing attacks on apps and websites which had been confirmed to allow access to customer accounts. Members of the online communities were free to use the credentials in their own attacks or access the accounts that the credentials were for.

OAG identified credentials for accounts at 17 well-known companies such as restaurant chains, online retailers, and food delivery services. In total, the credentials for 1.1 million accounts were collected from the posts during the course of the investigation.

All 17 companies were contacted by the OAG to alert them to the compromised accounts and OAG asked the companies to investigate. OAG then worked with the companies to determine how their safeguards had been bypassed and suggested steps that could be taken to improve resilience to credential stuffing attacks.

OAG makes several recommendations in the guidance on steps that businesses can take to improve their defenses. These steps should be taken by all businesses that maintain online accounts for customers, with the data security program covering four areas:

  • Defending against credential stuffing attacks
  • Detection mechanisms
  • Prevention of fraud and misuse of customer information
  • Incident response policies and procedures

Defenses should include bot detection systems to identify when automated credential stuffing attacks are occurring. Third-party bot detection software can distinguish between human and bot traffic and block the offending IP addresses.

Multi-factor authentication should be made available to protect customer accounts. MFA will ensure that if the correct password for an account is guessed, access will only be granted if another authentication factor is provided. Businesses should also consider passwordless authentication, as this makes credential stuffing impossible. Businesses should also consider deploying web application firewalls to block malicious traffic and should take steps to prevent the reuse of passwords, such as checks against databases of breached passwords when customers set passwords for their accounts.

It is important to put mechanisms in place to detect malicious activity. Even sophisticated attacks on accounts have attack signatures that can be detected. Software should check for multiple failed login attempts over a certain period of time, for example, and customer account activity should be monitored to identify potentially compromised accounts.

Safeguards should also be implemented to protect against fraud and misuse of customer information, such as the need to re-authenticate at the time of purchase, use of third-party fraud detection services, and processes to mitigate against social engineering attacks on the company, such as attempts to trick customer service staff into sending authentication codes to bypass MFA.

Policies and procedures should also be developed for incident response, which should include investigation, remediation, and notice to consumers.

“The explosive growth of credential stuffing shows no signs of abating, fueled by the ever-growing numbers of stolen credentials that are available to attackers,” concluded OAG in the report. “However, companies can significantly mitigate the risks of credential stuffing to their business and their customers by maintaining a comprehensive data security program with the right mix of cybersecurity measures.”

Consumers should also take steps to reduce the risk of their accounts being compromised. When MFA is available, it should be configured. Strong passwords should be set for all accounts, and never be reused on multiple accounts. A password manager can help in this regard. There are paid and free versions of password managers – Bitwarden offers both tiers for example.  Password managers can be used to set strong, unique passwords for accounts, making them less susceptible to credential stuffing attacks.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of