The New York Office of the Attorney General (OAG) notified 17 well-known online retailers, restaurant chains and food delivery services that have been the victims of credential stuffing attacks.


The investigation revealed that more than 1.1 million online accounts were compromised in cyberattacks. Attorney General James released a “Business Guide for Credential Stuffing Attacks” that details the attacks — which involve repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services — and how businesses can protect themselves.


Over several months, the OAG monitored several online communities dedicated to credential stuffing. The OAG found thousands of posts that contained customer login credentials that attackers had tested in a credential stuffing attack and confirmed could be used to access customer accounts at websites or on apps. The OAG compiled credentials to compromised accounts at 17 well-known online retailers, restaurant chains and food delivery services from these posts. In all, the OAG collected credentials for more than 1.1 million customer accounts, all of which appeared to have been compromised in credential stuffing attacks. 


Following the discovery of the attacks, the OAG alerted the relevant companies so that passwords could be reset and consumers could be notified. The OAG also worked with the companies to determine how attackers had circumvented existing safeguards and provided recommendations for strengthening their data security programs to secure customer accounts in the future. Over the course of the OAG’s investigation, nearly all companies implemented or made plans to implement additional safeguards.


“Credential stuffing attacks are old hat, and remain effective,” says Chris Olson, CEO at The Media Trust. “While consumers are responsible for their data, enterprises have a responsibility to safeguard it when input or surreptitiously collected via their websites/mobile apps. Taking ownership of how digital assets can harm consumers is critical to safeguarding consumer expectations of privacy and security. Those that have adopted digital trust and safety strategies are starting to see tangible results in their bottom line.”


Attorney General James released a “Business Guide for Credential Stuffing Attacks” that details the attacks — which involve repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services — and how businesses can protect themselves.