More than one million online accounts across 17 well-known companies were the victim of hacking attempts that reused previously stolen passwords swirling around the internet, New York’s top law enforcement officer said on Jan 5.

The ruse, known as a “credential stuffing attack”, involves a cyber criminal trying to repeatedly access someone’s account by deploying user names and passwords that were previously made public. User names and passwords are sometimes posted or sold on the dark web or hacking forums after being stolen in cyberattacks.

Attorney General Letitia James said hackers take advantage of the fact that people tend to re-use passwords across multiple sites. In a credential-stuffing attack, the hacker may submit hundreds of thousands, or even millions of login in attempts using specialised software.

James said more than 15 billion stolen credentials are currently in circulation, putting those users’ personal information “in jeopardy”. She said her office worked with the 17 firms, which weren’t named, to help shore up their cybersecurity, protect their customers and further understand how the attacks occurred.

The attorney general’s office spent months monitoring online communities dedicated to credential stuffing and found thousands of posts that contained customer login credentials that hackers had tested for attacks. From those posts, state officials compiled credentials to compromised accounts at 17 well-known online retailers, restaurant chains and food delivery services. – Bloomberg