United States of America: Adopted Business Guide for Credential Stuffing Attacks

On 5 January 2022, the Office of the New York State Attorney General published the Business Guide for Credential Stuffing Attacks to provide businesses with guidance on how to protect themselves from a specific type of cyber attack, namely credential stuffing attacks. These attacks involve the attempt to use credentials, such as passwords, stolen from a user account on one platform to unlock accounts on another platform on the assumption that users use the same password across multiple accounts. The Guide suggests using techniques such as bot detection, multi-factor authentication, and passwordless authentication as a means of protection. Further, the Guide suggests safeguards for breach detection, preventing misuse of information, and best practices for incident response.