Tech & Sourcing @ Morgan Lewis


We have heard time and time again that we should not reuse passwords across accounts—if a cybercriminal were to obtain access to the password of one account, they could then use such password to access multiple accounts. This use of stolen passwords and other credentials has led to a rise in credential stuffing attacks. A new guide released this month by New York Attorney General Letitia James investigates the rise in credential stuffing attacks and best practices designed to prevent such attacks.

What is a credential stuffing attack?

A credential stuffing attack uses stolen usernames and passwords to repeatedly attempt to log into online accounts. Cybercriminals often use free, automated software or “bots” that are capable of cycling through hundreds or even millions of login attempts simultaneously without manual input. Once a cybercriminal successfully logs into an account, they can make purchases using a credit card saved to the account, steal a gift card saved to the account, use the customer’s data saved to the account in a phishing attack, or sell the login credentials to another individual. For companies, these attacks can lead to disclosure obligations under state breach notification laws.

What actions can companies take to protect customers from credential stuffing attacks?

The attorney general’s guide describes safeguards that companies can implement designed to protect their customers from credential stuffing attacks. Some of these safeguards include the following:

  • Use of Bot Detection: Bot detection software, which can be developed in house or licensed from a third party, is designed to identify and block bot-generated internet traffic. It should be noted that bot detection software is different from CAPTCHA systems—which are challenge response tests used to determine whether a user is human—and is more effective, as software has become better at solving many CAPTCHA challenges.
  • Use of Multi-Factor Authentication: Multi-factor authentication (MFA) requires a user to present two or more credentials in order to log into their account. The credentials must come from two or more of the following categories: (1) something the user knows (e.g., a password); (2) something the user has (e.g., a mobile phone); or (3) something the user is (e.g., a fingerprint).
  • Use of Passwordless Authentication: Passwordless authentication uses an authentication method other than a password, such as an authenticator app, or a one-time code sent by SMS. This method of accessing an account is less common than the use of MFA.
  • Monitoring Customer Activity: Businesses should consider implementing processes to systematically monitor customer traffic on their customer’s accounts, as bot activity leads to spikes in traffic. A good practice is to have the monitoring at least partially automated.
  • Reauthentication at the Time of Purchase: Although many companies save payment information for easy checkout, a good practice is to require customers to re-authenticate the stored payment information (e.g., reentering the credit card number). This practice can also be extended to other methods of payment such as gift cards and loyalty points.

For more information about credential stuffing attacks, including additional safeguards to consider implementing, review the attorney general’s guide.