Category: Data Breaches

Credential Stuffing

The recent compromise of the Seesaw Learning website and app has a lot of people asking me: What is credential stuffing? It’s a good question to know the answer to. Once you get it, you will also know how to keep your online accounts safer.

How Credential Stuffing Works

It begins with cybercriminals attacking and hacking an online website or company. When they gain access, they steal the login info for as many accounts as they can, for that site. They’re looking for a list of email addresses, and the corresponding passwords that are used on that site.

While this starts with the hack of one company, the stuffing happens elsewhere. These thieves are counting on one common tech mistake: People tend to use the same password for all of their online accounts. So if they steal login info from one site, the crooks are hoping those credentials will work on other websites.

These cybercriminals actually have a bit of programming skill. They take their stolen credentials and write a program (bot) to try each email/password combination at the login screen of another website. If they’ve stolen 500 logins or a million, it doesn’t matter. They can set their bots to stuff all of those logins into various other websites, until they get lucky access with someone’s stolen credentials.

What You Need To Do

You cannot predict or prevent this kind of attack, because it is launched against the companies you use. You are not the initial target. But you can protect your other accounts from collateral damage. It’s very simple: Always use a different password with each account you create.

OK, maybe it’s not that simple to do, but it is simple to state. No one likes this advice, because passwords are such a tedious burden to most internet users. But if you can improve your habits and avoid password re-use, then credential stuffing attacks will not affect you as much as other people. If your password is stolen from one website, it will not do the crooks any good when they try to use it elsewhere!

Additionally, turning on 2FA can further protect your accounts against password theft. But not all sites offer 2FA. Using unique passwords remains the best defense.

Coping with Too Many Passwords

Maintaining unique passwords is about as fun as remembering to floss. But it could make a big difference someday. There’s always another big hack about to happen, and you’re going to wake up one morning to find that your bank or your favorite store is involved in the latest tech debacle. That awful cybercrime news won’t affect you as much, if you have good security practices in place.

As you set passwords to online accounts, your browser may recommend unique passwords, and offer to Save them for you. This is a solid tool and fairly reliable. And if you need to know a particular password, you can find it by going into your browser’s options menu and searching for the Passwords List. This is how I manage my 700+ passwords, in Google Chrome and Microsoft Edge.

You might also consider using a Password Manager program, and there are many of them out there. Some are free, some have an annual fee. LastPass, Roboform, Keepass and Bitwarden are some trustworthy password managers.

Using an Excel spreadsheet or a “little black book” is also acceptable. I see plenty of folks using these methods, and I don’t criticize it if it is working well for them.

Have I Been Pwned?

Data breaches are so frequent, that it’s quite likely your email or phone number has been involved in one. It’s usually not your fault. When hackers get through a big company’s security, they may take a copy of whatever valuable account data they can. That can include your name, email, phone number, password…

Even worse, many companies don’t report their data breaches. It would be considerate of them to do so, but they often don’t want to draw attention to their failure. Some examples: Facebook had a data breach not too long ago, where 500M+ user accounts were violated, and they don’t have any plans to notify those users. Apple was compromised in 2015, and they only discussed notifying the 128M affected customers. But they dropped the ball and never reached out to their end-users.

To help you know when your account info has been leaked or stolen, use the Have I Been Pwned website. Created and maintained by a respectable Microsoft employee, HIBP is a free resource that will tell you if your info has been compromised anywhere on the web. Simply enter an email address or a phone number. HIBP will then tell you in which data breaches that info was involved.

If/when you find out where your info was violated, HIBP will recommend the use of a password management program (1Password). You can try that or stick with another method of managing passwords, it’s up to you. What’s important is that you have a system where you use a unique password for each website you log into.

And once HIBP tells you of any companies and their relevant data breaches, go to those websites and CHANGE YOUR PASSWORD! Or, if you are sure you won’t use that website again, you might look for a way to close your account there.

Lastly, you can also subscribe on the HIBP website, to receive notifications of future data breaches involving you. If your email or phone number turns up in next month’s big data breach, HIBP will shoot you an email, even if the problem fails to make the morning news.

© 2022 BlueScreen Computer

Theme by Anders NorenUp ↑