Threat actors stole 1.1 million customer accounts from 17 well-known companies

NY OAG warned 17 companies that roughly 1.1 million of their customers have had their user accounts compromised in credential stuffing attacks.

The New York State Office of the Attorney General (NY OAG) has warned 17 companies that roughly 1.1 million accounts of their customers were compromised in credential stuffing attacks.

Credential stuffing attacks involve botnets trying stolen login credentials usually obtained through phishing attacks and data breaches. This kind of attacks is very efficient due to the bad habit of users of reusing the same password over multiple services.

According to a recent study, there are more than 15 billion stolen credentials available online that were used in credential stuffing attacks.

The study conducted by OAG lasted several months during which the experts monitored hacking communities and forums focused on credential stuffing. The experts analyzed thousands of posts containing login credentials.

“After reviewing thousands of posts, the OAG compiled login credentials for customer accounts at 17 well-known companies, which included online retailers, restaurant chains, and food delivery services. In all, the OAG collected credentials for more than 1.1 million customer accounts, all of which appeared to have been compromised in credential stuffing attacks.” reads the report published by NY OAG. “The OAG contacted each of the 17 companies to alert them to the compromised accounts. The OAG also asked the companies to investigate and take steps to protect impacted customers. Every company did so.”

The OAG compiled login credentials for accounts belonging to the customers of 17 well-known companies, including online retailers, restaurant chains, and food delivery services. The bureau collected credentials for more than 1.1 million customer accounts.

The OAG alerted the impacted companies that could reset the passwords and notify their consumers.

“Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy,” said Attorney General James.

“Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy.” said New York Attorney General Letitia James.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, credential stuffing)

[adrotate banner=”5″]

[adrotate banner=”13″]