Skip to content

Menu

Jackson Lewis P.C. logo
HomeAboutServicesContactSubscribe
Search
Close

Workplace Privacy, Data Management & Security Report

Preventing “Credential Stuffing” Attacks, Guidance from NY State Attorney General Letitia James

By Joseph J. Lazzarotti on January 10, 2022
Posted in Consumer Privacy, Data Breach Notification, Data Security, Identity Theft, Incident Response Planning, Information Risk, Written Information Security Program

After reading New York Attorney General Letitia James’ Business Guide for Credential Stuffing Attacks (“Guide”), I promptly reminded my family (and myself!) to change passwords. The practice of using the same password for multiple online accounts is one that most, if not all of us, use from time to time. According to a recent study, the average person has 100 passwords to remember! While individuals can be more personally responsible about their password management, there is a growing emphasis on what organizations can be doing. That is the focus of AG James’ report.

It is unclear whether or to what extent the New York Attorney General’s office will be increasing its investigation and/or enforcement of incidents involving credential stuffing. However, organizations should be reminded of the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) that fully went into effect March 21, 2020. In short, the SHIELD Act requires businesses to adopt reasonable safeguards to protect personal information of New York residents. The law empowers the AG to obtain civil penalties. For knowing and reckless violations, a court may impose penalties of the greater of $5,000 or up to $20 per instance with a cap of $250,000. For reasonable safeguard requirement violations, a court may impose penalties of not more than $5,000 per violation. For more information on the SHIELD Act, please see our FAQs.   

What is “credential stuffing”?

Cyber criminals know we juggle many passwords. They also know we juggle a lot of other things as well and may not have the best cyber hygiene – we use the same credentials across multiple online accounts to make remembering easier. So, they engage in “credential stuffing.” This form of cyberattack typically involves repeated attempts to log in to online accounts using usernames and passwords stolen from other online services. So, when you hear news reports about a data breach involving the exfiltration of online account credentials belonging to thousands or millions of users, it is that information, as one example, that is used in these attacks on other accounts.

What do attackers do when successful at credential stuffing?

The attackers fail in their efforts more than they succeed. They work to improve their odds typically by leveraging readily available software to quickly send hundreds of thousands of login attempts without human intervention.

When they are successful, they can gain access to very sensitive information maintained in the account, including the account holder’s name, address, purchase history, payments information, the name and addresses of other individuals connected to the account holder, etc. As the Guide explains, with that access, the attackers can, for example:

make fraudulent purchases using the customer’s saved credit card, steal and sell a gift card that the customer has saved on the account, use customer data stolen from the account in a phishing attack, or simply sell the login credentials to another individual on the dark web.

Why is the NY Attorney General concerned about “credential stuffing”?

Recognizing that credential stuffing attacks have resulted in a significant cost to businesses and consumers, Office of the New York State Attorney General (OAG) launched an investigation to better understand the impact of credential stuffing. During the investigation, the OAG monitored online communities dedicated to credential stuffing and found thousands of posts containing valid login credentials. Members of these communities were free to use these valid credentials to break into the customer accounts themselves, or use them for their own credential stuffing attacks on other companies’ websites and apps.

After reviewing thousands of posts, the OAG compiled login credentials for customer accounts at 17 well-known companies, which included online retailers, restaurant chains, and food delivery services. In all, the OAG collected credentials for more than 1.1 million customer accounts, all of which appeared to have been compromised in credential stuffing attacks.

In the course of the investigation and working with the companies to address the findings, the OAG was able to review and evaluate the effectiveness of a wide range of safeguards against credential stuffing. It compiled a nonexhaustive list of those safeguards in the Guide, recognizing that not every safeguard is appropriate for every business. However, the OAG recommends that every business should maintain effective safeguards for defending against unauthorized access to customer accounts through credential stuffing attacks.

What should organizations do to prevent credential stuffing?

First, it is important to recognize this is not just a concern for “businesses” or for-profit entities like the group of entities the OAG identified above. Many, if not most, organizations with an online presence use an online account or similar means to stay in touch with their customers, students, members, donors, employees, or other constituents. It is entirely possible for an individual to use the same username and password for accounts maintained with their favorite charity, their online email account, a local restaurant, and their Amazon Prime account. Of course, as suggested above, this practice should be avoided!

When organizations set out to prevent credential stuffing, they should evaluate which safeguards to implement in the context of their own operations, considering factors like (i) the size and complexity of the organization, (ii) the volume and sensitivity of personal information that it maintains, (iii) the risk and scale of injury should that information be compromised, and (iv) the software and systems that are already in use. These are similar to factors we see repeatedly when applying many data security frameworks.

The OAG reminds organizations that the effectiveness of the safeguards available to prevent credential stuffing will likely change over time as attackers adopt new tactics. So, organizations need to continue to be vigilant and update their approaches as these changes occur.

For organizations that maintain online accounts, the Guide calls for them to adopt a data security program with effective safeguards in four areas:

  1. Defending against credential stuffing attacks, with safeguards such as:
    • Bot detection
    • Multifactor authentication
    • Passwordless authentication
  2. Detecting a credential stuffing breach, with safeguards such as:
    • Monitoring user activity
    • Promptly addressing reports of fraud
  3. Preventing fraud and misuse of customer information, with safeguards such as:
    • Reauthentication at point of purchase
    • Third party fraud detection
    • Mitigating social engineering
  4. Responding to a credential stuffing incident:
    • Investigation
    • Remediation
    • Notification

Several of these safeguards should look familiar to organizations that have been developing and/or maintaining information security policies and procedures. However, the Guide goes into more detail on each one, providing a helpful roadmap and their relation to credential stuffing. Of course, as noted, organizations should evaluate which of these are appropriate considering their particular circumstances. It also is worth noting that many of these safeguards can have benefits beyond credential stuffing prevention.

Tags: Attorney General, credential stuffing, credentials, incident response plan, mfa, multifactor authentication, New York Attorney General Letitia James, New York SHIELD Act, online account, password, SHIELD, verification
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP)…

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:

  • Advising health care providers, business associates, and group health plan sponsors concerning HIPAA/HITECH compliance, including risk assessments, policies and procedures, incident response plan development, vendor assessment and management programs, and training.
  • Coached hundreds of companies through the investigation, remediation, notification, and overall response to data breaches of all kinds – PHI, PII, payment card, etc.
  • Helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the California Consumer Privacy Act.
  • Working with organizations to develop and implement video, audio, and data-driven monitoring and surveillance programs. For instance, in the transportation and related industries, Joe has worked with numerous clients on fleet management programs involving the use of telematics, dash-cams, event data recorders (EDR), and related technologies. He also has advised many clients in the use of biometrics including with regard to consent, data security, and retention issues under BIPA and other laws.
  • Assisting clients with growing state data security mandates to safeguard personal information, including steering clients through detailed risk assessments and converting those assessments into practical “best practice” risk management solutions, including written information security programs (WISPs). Related work includes compliance advice concerning FTC Act, Regulation S-P, GLBA, and New York Reg. 500.
  • Advising clients about best practices for electronic communications, including in social media, as well as when communicating under a “bring your own device” (BYOD) or “company owned personally enabled device” (COPE) environment.
  • Conducting various levels of privacy and data security training for executives and employees
  • Supports organizations through mergers, acquisitions, and reorganizations with regard to the handling of employee and customer data, and the safeguarding of that data during the transaction.
  • Representing organizations in matters involving inquiries into privacy and data security compliance before federal and state agencies including the HHS Office of Civil Rights, Federal Trade Commission, and various state Attorneys General.

Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:

  • As part of the Firm’s Health Care Reform Team, he advises employers and plan sponsors regarding the establishment, administration and operation of fully insured and self-funded health and welfare plans to comply with ERISA, IRC, ACA/PPACA, HIPAA, COBRA, ADA, GINA, and other related laws.
  • Guiding clients through the selection of plan service providers, along with negotiating service agreements with vendors to address plan compliance and operations, while leveraging data security experience to ensure plan data is safeguarded.
  • Counsels plan sponsors on day-to-day compliance and administrative issues affecting plans.
  • Assists in the design and drafting of benefit plan documents, including severance and fringe benefit plans.
  • Advises plan sponsors concerning employee benefit plan operation, administration and correcting errors in operation.

Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.

Joe served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.

Read more about Joseph J. Lazzarotti
Show more Show less
Related Posts
North Carolina Prohibits Public Sector Entities from Paying Ransom in a Ransomware Cyberattack
May 25, 2022
Indiana Tightens the State’s Deadline for Providing Notification of a Data Breach
May 24, 2022
FTC Blog: “The FTC Act creates a de facto breach disclosure requirement”
May 23, 2022
Jackson Lewis JacksonLewis.com

Stay Connected

Subscribe to this blog via RSS Follow Us on Twitter Add us on Facebook View Our LinkedIn Profile

Topics

Archives

Editors

  • Jason C. Gavejian
  • Joseph J. Lazzarotti

Contributors

  • Christopher E. Hoyme
  • Damon W. Silver
  • Michael R. Bertoncini
  • Marlo Johnson Roebuck
  • Nathan W. Austin
  • Nicky Jatana
  • Jeffrey M. Schlossberg

Blog Authors Show/Hide

  • Joseph J. Lazzarotti
  • Jason C. Gavejian
  • Maya Atrakchi
  • Jackson Lewis P.C.
  • Mary T. Costigan
  • Damon W. Silver
  • Jeffrey M. Schlossberg
  • Michael R. Bertoncini
  • Christopher E. Hoyme
  • Rachel E. Ehlers
  • Frank J. Fanshawe
  • Robert Yang
  • Jody Kahn Mason
  • Delonie A. Plummer
  • Richard I. Greenberg
  • Jerel Pacis Agatep
  • Catherine R. Tucciarello
  • Sean Paisan
  • Ronald V. Sgambati
  • Nathan W. Austin
  • Joshua D. Allen
  • Michelle T. Hackim
  • Gregory C. Brown Jr.
  • Daniel J. Moses
  • Cecilie E. Read
  • Yvonne Arvanitis Fossati
  • Paul A. Friedman
  • Marlo Johnson Roebuck
  • Joseph J. Lynett
  • Jennifer Shoaf Richardson
  • Francis P. Alvarez
  • Amy L. Peck
  • Zachary A. Ahonen
  • Susan M. Corcoran
  • John A. Snyder
  • Stephanie L. Adler-Paindiris
  • Kathryn J. Russo
  • Melissa Pascualini
  • Laura A. Mitchell
  • Michael D. Ridenour
  • Jason Selvey
  • Valerie K. Jackson
  • Jackson Biesecker
  • Howard M. Bloom
  • Erik J. Winton
  • Elizabeth S. Walsh
  • David R. Golder
  • Craig W. Wiley
  • Clifford R. Atlas
  • Christopher T. Patrick
  • Ashley Solowan
  • Regan Harrison
  • Paige
  • Nicky Jatana
  • Melissa Ostrower
  • Mei Fung So
  • Lara Hamm
  • Kourtney Goebel
  • Kendall Melidosian
  • Gayla Kirkland
  • Kelly
  • Katharine C. Weber
  • Jess Simpson
  • Jessica Poot
  • Jenifer M. Bologna
  • Jonathan L. Crook
  • Haley Nystrom
  • foxtemplate
  • chriscorchado
  • Brendan Ward
  • Ann Albertson

Recent Upates

  • Amendment to CMIA Regarding Mental Health and Mental Health Apps
  • California Consumer Privacy Act FAQs: Employment Information
  • California Adopts Law that Seeks to Protect Children’s Online Privacy
  • First California Consumer Privacy Act Enforcement Action and Settlement
  • Employers Get Ready – CCPA Employee and B2B Exemptions End, Expanded Privacy Compliance Begins in 2023

Jackson Lewis

Subscribe to this blog via RSS Follow Us on Twitter Add us on Facebook View Our LinkedIn Profile
Privacy PolicyDisclaimer

About Jackson Lewis

Jackson Lewis P.C. is a law firm with more than 900 attorneys in major cities nationwide serving clients across a wide range of practices and industries. Having built its reputation on providing premier workplace law representation to management, the firm has grown to include leading practices in the areas of government relations, healthcare and sports law. Named the “Innovative Law Firm of the Year” by the International Legal Technology Association, the firm’s commitment to client service and depth of expertise draws clients to Jackson Lewis for excellent value-driven legal advice.

Read More...
Copyright © 2022, Jackson Lewis P.C. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo