More than 1.1 million online accounts have been compromised in cyber attacks at 17 well-known companies, New York Attorney General Letitia James has announced.
Without revealing the names of the companies, James released a ‘Business Guide for Credential Stuffing Attacks’ that details the attacks, which involve repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services, and how businesses can protect themselves.
“Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stands in jeopardy,” James said in a statement late on Wednesday.
Credential stuffing is a type of cyberattack that involves attempts to log in to online accounts using usernames and passwords stolen from other, unrelated online services.
It relies on the widespread practice of reusing passwords as, chances are, a password used on one website was also used on another.
Following the discovery of the attacks, the Office of the Attorney General (OAG) alerted the relevant companies so that passwords could be reset and consumers could be notified.
“We must do everything we can to protect consumers’ personal information and their privacy,” said James.
Credential stuffing is one of the most common forms of cyberattack. The operator of one large content delivery network reported that it witnessed more than 193 billion such attacks in 2020 alone.
The OAG has alerted each of the 17 companies to the compromised accounts and urged the companies to investigate and take immediate steps to protect impacted customers.
The companies’ investigations revealed that most of the attacks had not previously been detected.