Recent Posts

Popular Topics



Legal developments in data, privacy, cybersecurity, and other emerging technology issues

NY Attorney General Offers Guidance on Dealing with Credential Stuffing

Last week, the New York Attorney General’s office offered guidance regarding credential stuffing, a common and costly attack on businesses and consumers, in which threat actors repeatedly attempt to log in to online accounts using usernames and passwords stolen from other online services.  Credential stuffing takes advantage of three aspects of the online ecosystem:  (1) most online accounts utilize usernames and passwords; (2) a steady flow of data breaches has resulted in billions of stolen credentials being leaked onto the dark web for other threat actors to exploit; and (3) consumers tend to reuse the same passwords across multiple online services. 

Although most login attempts in a credential stuffing attack are unsuccessful, a single attack can still yield thousands of compromised accounts due to the sheer volume of attempts, often due to the utilization of software to transmit hundreds of login attempts simultaneously without human intervention.  If successful in accessing accounts, threat actors can monetize the compromised accounts in a variety of ways, including by: (1) making fraudulent purchases using credit cards saved on the account, (2) using customer data stolen from the account in a phishing attack, or (3) selling the credentials on the dark web.

The NYAG’s guide offers businesses a variety of suggestions to help prevent and mitigate credential stuffing, including:

  • utilizing software specifically designed to identify and block bot-generated Internet traffic (often known as bot detection systems);
  • requiring multi-factor authentication, or another method for authenticating users that does not rely on a password, for user log on;
  • requiring customer re-authentication at the time of purchase;
  • monitoring customer behavior to identify and block aberrations, such as by noting spikes in traffic volume or failed login attempts;
  • implementing a web application firewall for rate limiting, HTTP request analysis, and IP address blacklisting;
  • preventing customers from utilizing credentials that have already been detected in known data breaches;
  • monitoring customer reports of fraud;
  • notifying customers of unusual or significant account activity;
  • using a third-party service to identify suspicious or fraudulent transactions; and
  • developing policies that anticipate social engineering attacks and training relevant personnel on those policies.
  • Steven M. Wernikoff

    Steve Wernikoff is a litigation and transactional partner who co-leads two of the firm's technology-based practice areas–the Data, Privacy, and Cybersecurity group and the Autonomous Vehicle group. As a previous officer and ...

Jump to Page

By using this site, you agree to our Privacy Policy and our Disclaimer.