Recent Posts

Popular Topics



Legal developments in data, privacy, cybersecurity, and other emerging technology issues

NY Attorney General Offers Guidance on Dealing with Credential Stuffing

Last week, the New York Attorney General’s office offered guidance regarding credential stuffing, a common and costly attack on businesses and consumers, in which threat actors repeatedly attempt to log in to online accounts using usernames and passwords stolen from other online services.  Credential stuffing takes advantage of three aspects of the online ecosystem:  (1) most online accounts utilize usernames and passwords; (2) a steady flow of data breaches has resulted in billions of stolen credentials being leaked onto the dark web for other threat actors to exploit; and (3) consumers tend to reuse the same passwords across multiple online services. 

Although most login attempts in a credential stuffing attack are unsuccessful, a single attack can still yield thousands of compromised accounts due to the sheer volume of attempts, often due to the utilization of software to transmit hundreds of login attempts simultaneously without human intervention.  If successful in accessing accounts, threat actors can monetize the compromised accounts in a variety of ways, including by: (1) making fraudulent purchases using credit cards saved on the account, (2) using customer data stolen from the account in a phishing attack, or (3) selling the credentials on the dark web.

The NYAG’s guide offers businesses a variety of suggestions to help prevent and mitigate credential stuffing, including:

  • utilizing software specifically designed to identify and block bot-generated Internet traffic (often known as bot detection systems);
  • requiring multi-factor authentication, or another method for authenticating users that does not rely on a password, for user log on;
  • requiring customer re-authentication at the time of purchase;
  • monitoring customer behavior to identify and block aberrations, such as by noting spikes in traffic volume or failed login attempts;
  • implementing a web application firewall for rate limiting, HTTP request analysis, and IP address blacklisting;
  • preventing customers from utilizing credentials that have already been detected in known data breaches;
  • monitoring customer reports of fraud;
  • notifying customers of unusual or significant account activity;
  • using a third-party service to identify suspicious or fraudulent transactions; and
  • developing policies that anticipate social engineering attacks and training relevant personnel on those policies.
Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.