New York Attorney General Letitia James has released a guide to help businesses defend themselves against credential stuffing attacks. Credential stuffing is a type of brute-force attack in which attackers use automation to test stolen usernames and passwords against many different websites. New York’s advisory explains that credential stuffing “leverages the natural human tendency to reuse passwords to cope with the ever-growing number of online accounts that must be managed. Attackers know that the username and password used at one website may also be used at a half-dozen others.”
The guide states these attacks are easy to carry out, as attackers use readily available tools and credentials purchased for cheap on criminal forums.
“Unlike many other types of cyberattacks, credential stuffing attacks often require little technical knowledge to mount,” the document says. “Attackers typically use free, easily accessible software capable of transmitting hundreds of login attempts simultaneously without human intervention. A single attacker can easily send hundreds of thousands, or even millions, of login attempts to a single web service.”
The Office of the Attorney General (OAG) found that these attacks are very successful, even against major companies. Attackers can use access to compromised accounts as a foothold within companies’ networks.
“Over a period of several months, the OAG monitored several online communities dedicated to credential stuffing,” the advisory says. “The OAG found thousands of posts containing login credentials that had been tested in credential stuffing attacks on a website or app and confirmed to provide access to a customer account. Members of these communities were free to use these validated credentials to break into the customer accounts themselves, or use them for their own credential stuffing attacks on other companies’ websites and apps.”
New-school security awareness training can enable your employees to follow security best practices so they can avoid falling victim to these attacks.
The New York Office of the Attorney General has the story.