How Reusing Passwords Can Lead to Online Attacks

How Reusing Passwords Can Lead to Online Attacks article image.

You may have never heard of "credential stuffing" before, but it is fast becoming one of the more popular online attack methods used by cybercriminals. Last year, there were nearly 30 billion credential stuffing attempts, according to a report from cloud computing firm Akamai Technologies. And that activity is likely to increase as data breaches continue to hit vulnerable businesses.

What Is Credential Stuffing?

Credential stuffing occurs when criminals use large numbers of stolen email addresses and passwords from one site—usually as part of a data breach—to attempt to access other sites through high-volume attacks. That high volume would seem to make it easy for companies to see a visible spike in traffic, but criminals are smarter than that: They know how to make the attempts blend into normal traffic making it difficult for companies to notice anything unusual. And that's when your data gets used against you.

"The tools used to automate the attacks easily evade common defenses," says Chris Ryan, Experian senior fraud solutions business consultant. "Organizations that think they are protected are much more vulnerable than they realize."

How Big Is Credential Stuffing Fraud?

This type of fraud is on the rise due to the high volume of personal credentials compromised through data breaches and made available on the dark web for criminals to purchase. More than 446 million records were exposed in 2018, according to the Identity Theft Resource Center and CyberScout, which was a 126% increase from the previous year. And earlier this year, 2.2 billion personal credentials aggregated by hackers were made available in a single data dump on the dark web known as Collections 1-5. With new data breaches surfacing on a regular basis, credit stuffing fraud will likely continue to grow.

How to Protect Yourself From Credential Stuffing

Credential stuffing attacks are effective because consumers tend to reuse the same usernames and passwords across online sites. In fact, 81% of consumers report using the same credentials across multiple accounts. With that knowledge, cyber criminals can use your credentials to attempt to get into any number of your accounts, including bank accounts, credit card accounts and more.

While it may not be possible to completely protect your information from a credential stuffing attack, following these steps will make it more difficult for cyber thieves to steal your information.

  1. Check to see if your data has been compromised. You can check your free Experian credit report for errors or suspicious accounts. You can also run a free dark web scan as well to find out whether information like your Social Security number, phone number or email addresses is on the dark web. Two other free services that can tell you whether your personal data was part of a breach are Have I Been Pwned, where you can check whether your email address has been compromised, and Pwned Passwords to see whether your passwords have been exposed.
  2. Use unique passwords for every account. It's simple, but it's also the most important action you can take: Do not reuse passwords across accounts. It may be tempting to recycle passwords for convenience, but it makes identity theft a lot easier for hackers. See Experian's guide to secure passwords.
  3. Consider using a password manager. The average internet user has more than 200 digital accounts that require passwords, according to password management firm Dashlane, and they predict this number will double to 400 in the next five years. Managing that many passwords often leads consumers to fall back on simple and previously used passwords across multiple sites. Instead, consider using a password manager like LastPass, 1Password or Dashlane to keep track of all your passwords securely. You can always do it the old fashioned way and write them down too.
  4. Use multi-factor authentication. Using two-factor authentication these days is a must. This added security feature requires a unique code to be sent by a text message, a phone call or an email to allow you to log in to your account after entering your password. Even if your password is stolen, it prevents others from being able to log in to your account without the code.
  5. Delete unused accounts. If you haven't deleted an old social network account or email account you never use, you may want to. The more accounts you have open, the higher chance that you'll recycle an old password by mistake. Do an audit of the accounts you no longer use and determine whether there are some that you can delete.

You may also want to take time to learn more about identity theft issues and how to protect your personal information along with what to do after a data breach.

While credential stuffing shows no signs of going away, taking steps to secure your online personal information will give you an added layer of protection when data breaches occur.