Paul's Insights: The danger of stolen data

Mention cyberattacks, and we often think of dodgy malware that infects entire computer systems. But for cyber-crims, malware is yesterday’s news. ‘Credential stuffing’ is the latest trend among cyber-thieves.

In mid-March the Australian Federal Police arrested a Sydney man who had allegedly made $300,000 selling account details including email addresses and usernames for subscribers of various websites.

The man is believed to have got hold of these details through a process known as credential stuffing.

In simple terms, credential stuffing involves a hacker feeding thousands or millions of stolen username and password combinations (obtained on the black market) into multiple websites to see if any of the details match a live account.

If the hackers are able to log in successfully, they can pull out personal information to sell on the dark web. Long story short, it can open the door to identity theft, or worse, having your bank account cleaned out.

There’s not much companies can do to combat credential stuffing – hackers aren’t trying to break through security systems, they’re just entering login details from other websites.

Consumers are vulnerable to these attacks because of our habit of using the same password across multiple sites. A 2018 US study found 52% of consumers use the same or very similar passwords for different sites and services.

How can you protect yourself from these attacks?

The most important step is to use distinctly different password and username combinations for all your online accounts. If one company you have an account with experiences a data breach, all of your accounts that share the same username/password combination could be in jeopardy.

If you have a lot of online accounts, which many of us do nowadays, consider a password manager to help you keep track of the details.

Where two factor authentication is offered, take advantage of it. This is where you enter a password plus a code that your service provider sends via SMS. Plenty of banks are offering two factor authentication, and it can provide additional protection in the event of a network attack.

It’s also worth paying attention to news of major data breaches. In February, Dunkin Donuts in the US reported a credential stuffing attack. A few weeks earlier social site Reddit was breached. If a company you have an account with experiences a data breach, do not waste time in changing your passwords.

Paul Clitheroe is Chairman of InvestSMART, Chairman of the Australian Government Financial Literacy Board and chief commentator for Money Magazine.