Criminals have managed to hijack 1.1 million accounts at 17 companies by means of reused passwords, says New York Attorney General Letitia James. According to James, the accounts could be taken over through credential stuffing attacks. Credential stuffing uses previously leaked email addresses and passwords to gain automated access to accounts. Attackers check whether they can also log in to website B with login details that have been stolen from website A. The attack is only possible when users reuse their passwords. “Unfortunately, users reuse the same password for multiple online services. This makes it possible for cybercriminals to use passwords stolen from one company for other online accounts,” the ministry said. That monitored several online communities engaged in credential stuffing over a period of several months. The ministry discovered thousands of messages containing credentials that attackers had tested in credential stuffing attacks that could be used to sign into user accounts on websites and apps. Based on these messages, the ministry came up with a list of 17 well-known online stores, restaurant chains and food delivery services. In total, more than 1.1 million user accounts were compromised in credential stuffing attacks. The seventeen companies were informed about the compromised companies and called on to take measures, which have since been taken. Investigations of the affected companies found that most of the credential stuffing attacks had gone undetected. Following the investigation and the attacks, the ministry has published a document with advice to combat credential stuffing, such as detecting bots, using multi-factor authentication, passwordless authentication, web application firewalls and countering the reuse of compromised passwords.