Hackers take over 1.1 million accounts by trying reused passwords

Hackers take over 1.1 million accounts by trying reused passwords

The New York State Office of the Attorney General has warned 17 companies that roughly 1.1 million customers have had their user accounts compromised in credential stuffing attacks.

Credential stuffing is the automated injection of stolen username and password pairs in to website login forms, in order to fraudulently gain access to user accounts. Many users reuse the same password and username/email, so if those credentials are stolen from one site—say, in a data breach or phishing attack—attackers can use the same credentials to compromise accounts on other services.

While credential stuffing may seem like a tiresome and long-winded game for attackers, it has proven to be very effective against. And unlike many other types of cyberattacks, credential stuffing attacks often require little technical knowledge.

The consequences

When attackers gain access to an account, they have several options to monetize it, such as:

  • Draining stolen shopping accounts of stored value, or making purchases.
  • Accessing more sensitive information such as credit card numbers, private messages, pictures, or documents which can ultimately lead to identity theft.
  • Using a forum or social media account to send phishing messages or spam.
  • Selling the known-valid credentials to other attackers on underground forums.

Needless to say that avoiding becoming a victim is worth the trouble.

What can users do?

Besides listening to us telling you that you should not reuse passwords across multiple platforms, there are some other thing you can do.

Start using a password manager. They can help you create strong passwords and remember them for you. Some passwords managers can be tricky at first, but once you get the hang of them you will wonder how you ever managed without one.

Then find out which credentials are at risk. You can check for compromised accounts on the website Have I been pwned? You can find information on how to use that site in our article “Have I been pwnd?”– What is it and what to do when you *are* pwned. The credentials shown as pwned there are the first ones you need to change the password for.

When it comes to which steps to take if you suspect there might be identity theft at play, we recommend you read this post we wrote after the Equifax breach some years ago.

What should organizations do?

Something that would make all of our lives easier is if organizations made it impossible, or harder at least, to credential stuff their sites and services.

One effective safeguard is to implement and enforce multi-factor-authentication (MFA). However, this puts a big part of the burden on the customers since they will have to take the extra steps before they are logged in. Another method to protect customers is to prevent them from use compromised credentials. This functionality typically relies on third party vendors that compile credentials from known data breaches.

Other more user-friendly solutions are bot detection methods and application firewalls.

Bot detection methods can distinguish between human and bot traffic even when the bot traffic has been disguised. Bot detection can be event-based and identifies bots using network characteristics, device characteristics, and behavior characteristics. More complex bot detection methods use behavioral analysis and artificial intelligence to detect login attempts that are seen as abnormal.  A less complex method to distinguish between bots and humans are the well-known CAPTCHA challenges.

Web Application Firewalls (WAF) are often the first line of defense against malicious traffic. They can block or throttle multiple attempts from the same source or at the same account. They can also use blocklists based on known IP addresses that have recently engaged in attacks. Sophisticated credential stuffing attacks, however, are often able to circumvent most WAF security measures.

No more passwords

Recently, we’ve seen initiatives that strive towards more password-less authentication. On this site we have discussed alternatives to get rid of passwords for good, along with the possible downside of the bold move Microsoft made towards a password-less future.

As with most things in security, switching to a password-less authentication will have pros and cons. It’s likely to have a different outcome for different organizations, but it seems something that is at least worth thinking through.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.