1.1 million customer accounts compromised from 17 companies
New York Attorney General Letitia James notified seventeen companies after an investigation into credential stuffing, that 1.1 million customer accounts were compromised in cyberattacks.
James said her office was releasing a guide for businesses on how they can deal with credential stuffing attacks as it has quickly become one of the top attack vectors online.
The 17 businesses affected include well-known online retailers, restaurant chains, and food delivery services.
James stated that now there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy. Businesses have the responsibility to take appropriate action to protect their customers’ online accounts, and this guide lays out critical safeguards companies can use in the fight against credential stuffing. She added that they must do everything they could to protect consumers’ personal information and their privacy.
The Office of the Attorney General (OAG) monitored online communities dedicated to credential stuffing and found thousands of posts containing customer login credentials that attackers had tested in a credential stuffing attack and could be used to access customer accounts at websites.
After contacting the companies, all 17 investigated the OAG’s findings and took steps to protect users. OAG stated that almost all of the companies “implemented, or made plans to implement additional safeguards.”
These safeguards include bot detection services, multi-factor authentication and password-less authentication. They also urged companies to monitor customer traffic for signs of credential stuffing attacks like spikes in traffic volume of failed login attempts.
James also said businesses need to institute re-authentication for customer payment information as a way to prevent attackers from gaining access to sensitive information.
She urges that businesses should have a written incident response plan that includes processes for responding to credential stuffing attacks. The processes should include investigation and notice.
Image Credits : SecureData
The post 1.1 million customer accounts compromised from 17 companies first appeared on Cybersafe News.
