New York Attorney General James Alerts 17 Companies to “Credential Stuffing” Cyberattacks Impacting More Than 1.1 Million Consumers

NEW YORK – New York Attorney General Letitia James today announced the results of a sweeping investigation into “credential stuffing” that discovered more than 1.1 million online accounts compromised in cyberattacks at 17 well-known companies. Attorney General James released a “Business Guide for Credential Stuffing Attacks” that details the attacks — which involve repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services — and how business can protect themselves. Credential stuffing has quickly become one of the top attack vectors online. Virtually every website and app use passwords as a means of authenticating its users. Unfortunately, users tend to reuse the same passwords across multiple online services. This allows cybercriminals to use passwords stolen from one company for other online accounts. Following discovery of the attacks, the Office of the Attorney General (OAG) alerted the relevant companies so that passwords could be reset and consumers could be notified. Today’s guide shares lessons learned over the course of the OAG’s investigation, including concrete guidance on steps businesses can take to better protect against credential stuffing attacks. “Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy,” said Attorney General James. “Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy.” What is Credential Stuffing? Credential stuffing is a type of cyberattack that involves attempts to log in to online accounts using username and passwords stolen from other, unrelated online services. It relies on the widespread practice of reusing passwords as, chances are, a password used on one website was also used on another. In a typical credential stuffing attack, an attacker may submit hundreds of thousands, or even millions, of login attempts using automated, credential-stuffing software and lists of stolen credentials downloaded from the dark web or hacking forums. Although only a small percentage of these attempts will succeed, through the sheer volume of login attempts, a single attack can nevertheless yield thousands of compromised accounts. An attacker that gains access to an account can use it in any number of ways. The attacker can, for example, view personal information associated with the account, including a name, an address, and past purchases, and use this information in a phishing attack. If the account has a stored credit card or gift card, the attacker may be able to make fraudulent purchases. Or the attacker could simply sell the login credentials to another individual on the dark web. Credential stuffing is one of the most common forms of cyberattack. The operator of one large content delivery network reported that it witnessed more than193 billion such attacks in 2020 alone. The OAG’s Investigation In light of the growing threat of credential stuffing, the OAG launched an investigation to identify businesses and consumers impacted by this attack vector. Over a period of several months, the OAG monitored several online communities dedicated to credential stuffing. The OAG found thousands of posts that contained customer login credentials that attackers had tested in a credential stuffing attack and confirmed could be used to access customer accounts at websites or on apps. From these posts, the OAG compiled credentials to compromised accounts at 17 well-known online retailers, restaurant chains, and food delivery services. In all, the OAG collected credentials for more than 1.1 million customer accounts, all of which appeared to have been compromised in credential stuffing attacks. The OAG alerted each of the 17 companies to the compromised accounts and urged the companies to investigate and take immediate steps to protect impacted customers. Every company did so. The companies’ investigations revealed that most of the attacks had not previously been detected. The OAG also worked with the companies to determine how attackers had circumvented existing safeguards and provided recommendations for strengthening their data security programs to better secure customer accounts in the future. Over the course of the OAG’s investigation, nearly all of the companies implemented, or made plans to implement, additional safeguards. The OAG’s Recommendations Credential stuffing attacks have become so prevalent that they are, for most businesses, unavoidable. Every business that maintains online customer accounts should therefore have a data security program that includes effective safeguards for protecting customers from credential stuffing attacks. Safeguards should be implemented in each of four areas: Defending against credential stuffing attacks, Detecting a credential stuffing breach, Preventing fraud and misuse of customer information, and Responding to a credential stuffing incident. Attorney General James’ guide presents specific safeguards that have been found to be effective in each of these areas. Some highlights from the guide include the following: Three safeguards were found to be highly effective at defending against credential stuffing attacks when properly implemented: 1) bot detection services, 2) multi-factor authentication, and 3) password-less authentication. Because no safeguard is 100 percent effective, it is critical that businesses have an effective way of detecting attacks that have bypassed other defenses and compromised customer accounts. Most credential stuffing attacks can be identified by monitoring customer traffic for signs of attacks (for example, spikes in traffic volume of failed login attempts). One of the most effective safeguards for preventing attackers from using customers’ stored payment information is re-authentication at the time of purchase by, for example, requiring customers to re-enter a credit card number or security code. It is critically important that re-authentication be required for every method of payment that a business accepts. The OAG encountered many cases in which attackers were able to exploit gaps in fraud protection by making a purchase using a payment method that did not require re-authentication. Businesses should have a written incident response plan that includes processes for responding to credential stuffing attacks. The processes should include investigation (e.g., determining whether and which customer accounts were accessed), remediation (e.g., blocking attackers’ continued access to impacted accounts), and notice (e.g., alerting […]

How Cybercriminals Abuse OpenBullet for Credential Stuffing

Cedric Pernet, Fyodor Yarochkin, and Vladimir Kropotov write: … The trend for access-related cybercrime, such as credential stuffing, is steadily rising with no sign of slowing down. According to an Akamai report, there has been a total of 88 billion credential stuffing attacks from January 2018 to December 2019. Credential stuffing, a type of a brute-force attack that makes use of botnets to access websites and online services using stolen credentials, allows financially motivated actors to gain unfettered access to victims’ bank accounts and sensitive information. Cybercriminals also profit from stolen credentials by selling them in underground forums and markets. As the business of acquiring unique credentials continues to become more lucrative, cybercriminals are enriching their attack tools and techniques by abusing legitimate software for nefarious purposes. Read more on Trend Micro.

FR: CNIL Fines a Data Controller and Its Processor 225,000 Euros for Security Violation in Connection with Credential Stuffing

Hunton Andrews Kurth writes: On January 27, 2021, the French Data Protection Authority (the “CNIL”) announced (in French) that it imposed a fine of €150,000 on a data controller, and a fine of €75,000 on its data processor, for failure to implement adequate security measures to protect customers’ personal data against credential stuffing attacks on the website of the data controller. The CNIL decided not to make its decisions public, thereby not disclosing the name of the companies sanctioned. Read more on Privacy & Information Security Law Blog.

Over 300K Spotify accounts hacked in credential stuffing attack

Lawrence Abrams reports: Hackers have been attempting to gain access to Spotify accounts using a database of 380 million records with login credentials and personal information collected from various sources. For years, users have complained that their Spotify accounts were hacked after passwords were changed, new playlists would appear in their profiles, or their family accounts had strangers added from other countries. Read more on BleepingComputer.

UK: Tesco issues 600,000 new Clubcards after credential stuffing attack

Kalila Sangster reports: Tesco (TSCO.L) is issuing new cards to 600,000 Clubcard account holders after discovering a security breach. The supermarket said some customers may have fallen victim to online fraud after a database of stolen usernames and passwords from other platforms had been tried out on its website. The use of the stolen data may have been successful in redeeming Clubcard vouchers some cases, according to the retailer. Read more on Yahoo! And no, don’t blame Tesco for this, although perhaps we should ask after how many attempts they lock an attempter out. But ultimately, this is due to people reusing login credentials across sites.  Sometimes, we really have to take some responsibility for making it too easy for attackers.

Tax Returns Exposed in TurboTax Credential Stuffing Attacks

Sergiu Gatlan reports: Financial software company Intuit discovered that tax return info was accessed by an unauthorized party after an undisclosed number of TurboTax tax preparation software accounts were breached in a credential stuffing attack. A credential stuffing attack is when attackers compile username and passwords that were leaked from previous security breaches and use those credentials to try and gain access to accounts at other sites. This type of attack works particularly well against users who use the same password at every site. Read more on BleepingComputer. It’s 2019.  Why is this still a thing? Here is Intuit’s notification to Vermont:

DailyMotion discloses credential stuffing attack

Catalin Cimpanu reports: Video sharing platform DailyMotion announced on Friday that it was the victim of a credential stuffing attack, ZDNet has learned. […] According to an email sent out to impacted customers, and seen by ZDNet, the credential stuffing started last weekend, on January 19, and appears to have been successful in some cases, with hackers gaining access to a limited number of accounts. Read more on ZDNet.

Eyeware retailer Warby Parker forces password reset; notifies 198,000 customers of credential stuffing attack

Sam Woods reports: Eyewear retailer Warby Parker announced Thursday that it had suffered a cybersecurity breach that may have affected up to 198,000 customers.Hackers accessed customer usernames and passwords from unrelated cyber break-ins at other companies, according to a Warby Parker news release. The hackers then used that information to try to gain unauthorized access to client data at several Internet retailers, including Warby Parker. Read more on Philly.com.

The 111 Million Record Pemiblanc Credential Stuffing List

Troy Hunt reports: ……. I’ve just loaded 111 million email addresses found in a credential stuffing list called “Pemiblanc” into HIBP. I had multiple different supporters of HIBP direct me to this collection of data which resided on a web server in France and looked like this:   That site has now been taken down and the data no longer accessible, but per the image above you can see the files dating it around early April. The “USA” folder above contained a loosely organised set of files filled with email address and password pairs: Read more on TroyHunt.com.

Humana notifies members after credential stuffing attack on Humana.com and Go365.com

Health insurer Humana recently began notifying an unspecified number of health plan members after detecting and blocking a credential stuffing attack against Humana.com and Go365.com. The attacks took place on June 3 and June 4 from overseas IP addresses. In a notification letter dated June 21, Jim Theiss, Humana’s Chief Privacy Officer, writes: On June 3, 2018 Humana was the target of a sophisticated cyber spoofing attack that occurred on Humana.com and Go365.com. Your personal information on these websites may have been accessed by the attackers. On June 3, 2018 Humana became aware of a significant increase in the number of secure log in errors that were the result of numerous attempts to log into Humana.com and/or Go365.com from foreign countries. Humana Cyber Security Operations blocked the offending foreign Internet Protocol (IP) addresses from the websites on June 4, 2018. The volume of log in attempts to Humana.com and/or Go365.com on June 3, 2018 and June 4, 2018 suggested that a large and broad-based automated attack had been launched. This was evidenced by the volume of log in attempts coming from a foreign country. The nature of the attack and observed behaviors indicated the attacker had a large database of user identifiers (IDs) and corresponding passwords that were being inputted with the intention of identifying which might be valid on Humana.com and/or Go365.com. The excessive number of log in failures strongly suggests the ID and password combinations did not originate from Humana. Humana blocked the foreign addresses by June 4, 2018 In response to the incident, Humana took a number of steps, including forcing a password reset,  deploying new alerts of successful and failed logins and locked accounts, as well as deploying a series of technical controls to enhance web portal security. They are also offering members an identity theft protection product for one year. Of note, Humana informed members that Humana has determined there is no evidence that any data was removed from Humana systems. This incident does not yet appear on HHS’ public breach tool. When it does, we will have a number of affected members.