New York State Attorney General Letitia James has issued a consumer alert, warning New Yorkers of cyberattacks targeting consumers that use the same username and password (login credentials) on more than one website or app. In these cyberattacks, known as "credential stuffing" attacks, cybercriminals attempt to log in to online accounts using login credentials stolen from other online services. Specialized software enables attackers to generate and send tens of thousands of login attempts in quick succession.
"With billions of stolen credentials floating around on the Internet, credential stuffing attacks have the ability to hurt both businesses and consumers," said James. "Fortunately, consumers can help safeguard their online accounts against credential stuffing. As we work with businesses to better safeguard consumers' private information, I encourage all New Yorkers to remain vigilant against these types of attacks and take the appropriate steps to protect their data and their wallets."
Credential stuffing attacks occur with alarming frequency. One company reported that it witnessed more than 193 billion credential stuffing attacks in 2020 alone. And, earlier this week, Attorney General James announced that a sweeping investigation by her office had identified more than 1.1 million online accounts compromised in credential stuffing cyberattacks on just 17 well-known companies.
Attorney General James recommends consumers take the following steps to safeguard their online accounts against credential stuffing attacks:
- Never reuse passwords: While reusing login information may be convenient, it also puts consumers at risk. Consumers are encouraged to always create a unique password for each of their online accounts.
- Use a password manager: A password manager on a phone or computer can keep track of a consumer's passwords, automatically filling them in when they log in to a website or an app. Many modern web browsers include this functionality. Browsers and other password managers can also check if a consumer's passwords have been stolen in a data breach, and even generate new passwords when creating new online accounts.
- Enable two-factor authentication (2FA): 2FA can provide an extra layer of security by requiring anyone logging in to an account to provide another credential, such as a one-time code sent by SMS or email. Most attackers that have access to a stolen password will not have access to a secondary credential. Consumers should ensure that if a website or app offers 2FA, that it is enabled for their account.
- Check regularly for unauthorized activity: Not all companies will notify their users when their online accounts have been compromised. Consumers are encouraged to regularly check their online accounts for unauthorized transactions and activity, and immediately contact their online service (and credit card company, if appropriate) if they see something suspicious.
- Sign up for updates: Consumers should register with a breach notification service, like Have I Been Pwned, that will send them a notification if an account associated with their email or phone number has been compromised.
- Take suspicious activity seriously: If an online service notifies a consumer of suspicious activity on the consumer’s account, the consumer should immediately change the account password. If consumers use the same password for other accounts, they should be sure to change the password for those accounts as well.