"Impersonation and deception are illegal under New York law," said Eric Schneiderman.
The company, Devumi, stands accused of stealing real people's identities, which it denies, according to the New York Times.
The paper linked the "follower factory" to a host of celebrity accounts.
The New York Times published an in-depth report on Devumi on Saturday, including interviews with people who alleged their account details and profile pictures had been copied to create realistic "bots".
It is alleged that others who wanted to increase their follower count, including actors, entrepreneurs and political commentators, could then pay to be followed by the bots.
On social media, high follower accounts boost influence, which can impact public opinion, or bring advantages, such as job offers or sponsorship deals, to account holders.
Mr Schneiderman said he was concerned that such "opaque" operations were undermining democracy.
On its website, Devumi offers customers the chance to order up to 250,000 Twitter followers, with prices starting at $12 (£8.50). Clients can also buy "likes" and retweets.
The company sells followers on a range of other platforms, including Pinterest, LinkedIn, Soundcloud and YouTube.
"Devumi has helped over 200,000 businesses, celebrities, musicians, YouTubers and other pros gain more exposure and make a big impact to their audience," says its website.
The company is registered at a New York City address, although the New York Times alleged it is a front, with its actual offices in Florida and it also employs workers in the Philippines.
Twitter has responded to the investigation, saying it is working to stop Devumi and similar companies.
In the past, Twitter has been accused of not taking the problem seriously enough. It has often dismissed bot investigations as "inaccurate and methodologically flawed".
The platform does allow automated accounts, but it strictly prohibits them being bought or sold. It says it will suspend accounts that are found to have purchased followers, retweets or likes. However, a representative told the New York Times it rarely does this in practice, as it is hard to prove.
The report alleges that Devumi has a stock of at least 3.5 million automated accounts, many of which are sold repeatedly.
It alleges at least 55,000 of the accounts "use the names, profile pictures, hometowns and other personal details of real Twitter users, including minors".
"These accounts are counterfeit coins in the booming economy of online influence, reaching into virtually any industry where a mass audience — or the illusion of it — can be monetized. Fake accounts, deployed by governments, criminals and entrepreneurs, now infest social media networks," they wrote.
Whose accounts have been linked?
The New York Times found many well-known Twitter accounts have followers from the Devumi "factory". It said the company's clients covered the political spectrum, from liberal cable pundits to a reporter at the right-wing site Breitbart and an editor at China's state-run news agency, Xinhua.
Martha Lane Fox: Entrepreneur and member of the UK's House of Lords
Martha Lane Fox's Twitter account showed "a series of follower purchases spanning more than a year", including a 25,000-follower boost days after she became a Twitter board member in April 2016. She told the New York Times a "rogue employee" was responsible.
Paul Hollywood: British TV chef
The investigation showed Devumi-managed bots following Paul Hollywood's official Twitter profile. Shortly after the paper emailed him to ask questions, his account was deleted.
Hilary Rosen: political commentator
The CNN contributor has paid for over 500,000 Twitter followers - although most have been deleted. She said it was "an experiment I did several years ago to see how it worked".
Randy Bryce: US ironworker turned politician
On Saturday, Mr Bryce - who is trying to unseat Republican Paul Ryan in Congress - said, on Twitter, that he bought the followers as an experiment in 2015, when he was a blogger.