Home News Attackers Steal 1.1 M User Accounts Through Credential Stuffing

Attackers Steal 1.1 M User Accounts Through Credential Stuffing

According to an investigation from The New York State Office of the Attorney General (OAG), cybercriminals compromised over 1.1 million user accounts of 17 companies via credential stuffing attacks.

Credential stuffing attacks

User login credentials continue to become a primary target for cybercriminals, as they provide access to organizations’ critical infrastructures. Threat actors increasingly use various attack vectors like credential stuffing to steal classified data like usernames and passwords.

The New York State Office of the Attorney General (OAG) recently revealed that threat actors compromised over 1.1 million user accounts of 17 companies using credential stuffing attacks. The investigation conducted by OAG stated that credential stuffing attackers mostly targeted organizations in online retailers, restaurant chains, and food delivery services.

What is Credential Stuffing Attack?

In credential stuffing attacks, threat actors leverage stolen or leaked credentials like usernames and passwords to break into user accounts illicitly. Adversaries launch a credential stuffing attack by adding a list of compromised usernames and passwords to botnets or automated tools that initiate the authentication process on various websites.

OAG’s investigation found thousands of posts containing login credentials across various darknet forums, allowing other bad actors to leverage them.

Also Read: How to Prevent Credential Stuffing Attacks

“Unlike many other types of cyberattacks, credential stuffing attacks often require little technical knowledge to mount. Attackers typically use free, easily accessible software capable of transmitting hundreds of login attempts simultaneously without human intervention. A single attacker can easily send hundreds of thousands, or even millions, of login attempts to a single web service,” OAG said in a statement.


The OAG notified the affected organizations to be vigilant on the ongoing credential stuffing attacks and maintain necessary security precautions to protect against them. “Every business that maintains online accounts for its customers should therefore have a data security program that includes effective safeguards for protecting customers from credential stuffing attacks in each of four areas: defending against credential stuffing attacks, detecting a credential stuffing breach, preventing fraud and misuse of customer information, and responding to a credential stuffing incident,” OAG added.

Earlier, CISO MAG reported rising credential stuffing attacks and recommended security measures to protect online accounts. These include:

  • Enable passwordless authentication process.
  • Use continuous authentication systems like biometrics or behavioral patterns to verify the user’s authenticity.
  • Enable Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA).
  • Avoid reusing leaked/breached credentials.
  • Check whether your credentials or personal data have been leaked in any data breach at haveibeenpwned.