Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    New York State Warns of Credential Stuffing

    Stu Sjouwerman | Jan 6, 2022

    New York Warns of Credential StuffingNew York Attorney General Letitia James has released a guide to help businesses defend themselves against credential stuffing attacks. Credential stuffing is a type of brute-force attack in which attackers use automation to test stolen usernames and passwords against many different websites. New York’s advisory explains that credential stuffing “leverages the natural human tendency to reuse passwords to cope with the ever-growing number of online accounts that must be managed. Attackers know that the username and password used at one website may also be used at a half-dozen others.”

    The guide states these attacks are easy to carry out, as attackers use readily available tools and credentials purchased for cheap on criminal forums.

    “Unlike many other types of cyberattacks, credential stuffing attacks often require little technical knowledge to mount,” the document says. “Attackers typically use free, easily accessible software capable of transmitting hundreds of login attempts simultaneously without human intervention. A single attacker can easily send hundreds of thousands, or even millions, of login attempts to a single web service.”

    The Office of the Attorney General (OAG) found that these attacks are very successful, even against major companies. Attackers can use access to compromised accounts as a foothold within companies’ networks.

    “Over a period of several months, the OAG monitored several online communities dedicated to credential stuffing,” the advisory says. “The OAG found thousands of posts containing login credentials that had been tested in credential stuffing attacks on a website or app and confirmed to provide access to a customer account. Members of these communities were free to use these validated credentials to break into the customer accounts themselves, or use them for their own credential stuffing attacks on other companies’ websites and apps.”

    New-school security awareness training can enable your employees to follow security best practices so they can avoid falling victim to these attacks.

    The New York Office of the Attorney General has the story.

    Topics: Password Security

    Are your user’s passwords ... P@ssw0rd?

    Identify which users are using easily guessable or brute-forceable credentials before cybercriminals do. 

    Get Your Weak Password Test

    Secure the Digital Workforce: Human + AI

    KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the Founder and Executive Chairman of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog

    Posts By Topic

    View All