New York State Warns of Credential Stuffing

New York Warns of Credential StuffingNew York Attorney General Letitia James has released a guide to help businesses defend themselves against credential stuffing attacks. Credential stuffing is a type of brute-force attack in which attackers use automation to test stolen usernames and passwords against many different websites. New York’s advisory explains that credential stuffing “leverages the natural human tendency to reuse passwords to cope with the ever-growing number of online accounts that must be managed. Attackers know that the username and password used at one website may also be used at a half-dozen others.”

The guide states these attacks are easy to carry out, as attackers use readily available tools and credentials purchased for cheap on criminal forums.

“Unlike many other types of cyberattacks, credential stuffing attacks often require little technical knowledge to mount,” the document says. “Attackers typically use free, easily accessible software capable of transmitting hundreds of login attempts simultaneously without human intervention. A single attacker can easily send hundreds of thousands, or even millions, of login attempts to a single web service.”

The Office of the Attorney General (OAG) found that these attacks are very successful, even against major companies. Attackers can use access to compromised accounts as a foothold within companies’ networks.

“Over a period of several months, the OAG monitored several online communities dedicated to credential stuffing,” the advisory says. “The OAG found thousands of posts containing login credentials that had been tested in credential stuffing attacks on a website or app and confirmed to provide access to a customer account. Members of these communities were free to use these validated credentials to break into the customer accounts themselves, or use them for their own credential stuffing attacks on other companies’ websites and apps.”

New-school security awareness training can enable your employees to follow security best practices so they can avoid falling victim to these attacks.

The New York Office of the Attorney General has the story.

Are your user’s passwords…P@ssw0rd?

Employees are the weakest link in network security, using weak passwords and falling for phishing and social engineering attacks. KnowBe4’s complimentary Weak Password Test (WPT) checks your Active Directory for several different types of weak password related threats.

wpt02Here's how it works:

  • Reports on the accounts that are affected
  • Tests against 10 types of weak password related threats
  • Does not show/report on the actual passwords of accounts
  • Just download the install and run it
  • Results in a few minutes!

Check Your Passwords

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews