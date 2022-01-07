Cybercriminals are targeting New Yorkers who utilize the same username and password on more than one website or app, compromising their online accounts to view personal information or make fraudulent purchases, state Attorney General Letitia James said Friday in a consumer alert.

The cyberattacks, known as "credential stuffing," involve criminals attempting to log in to online accounts using credentials stolen from other online services. Specialized software enables hackers to generate and send tens of thousands of login attempts in quick and immediate succession.

"With billions of stolen credentials floating around on the internet, credential stuffing attacks have the ability to hurt both businesses and consumers," James said. "Fortunately, consumers can help safeguard their online accounts against credential stuffing. As we work with businesses to better safeguard consumers’ private information, I encourage all New Yorkers to remain vigilant against these types of attacks and take the appropriate steps to protect their data and their wallets."

Credential stuffing, James said, is one of the most common forms of cyberattack. The operator of one large content delivery network reported that it witnessed more than 193 billion such attacks in 2020 alone, she said.

Virtually every website and app utilizes passwords to authenticate its users. But James said users often reuse the same passwords across multiple services, allowing cybercriminals to use login credentials stolen from one company for other online accounts.

Earlier this week, James announced than an investigation by her office identified more than 1.1 million online accounts that had been compromised in credential stuffing cyberattacks on 17 well-known companies. The AG's office alerted the companies so that passwords could be reset and consumers could be notified

James also released a "Business Guide for Credential Stuffing Attacks" that details the attacks, which involve repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services — and how business can protect themselves.

Among her recommendations:

Never reuse passwords. Consumers are encouraged to always create a unique password for each online account.

Use a password manager to keep track of a consumer’s passwords, automatically filling them in when they log in to a website or an app.

Enable two-factor authentication to provide an extra layer of security by requiring anyone logging in to an account to provide another credential, such as a one-time code sent by text or email.