The Times Australia
The Times World News

.
The Times Real Estate

.

What is credential stuffing and how can I protect myself? A cybersecurity researcher explains

  • Written by David Tuffley, Senior Lecturer in Applied Ethics & CyberSecurity, Griffith University
What is credential stuffing and how can I protect myself? A cybersecurity researcher explains

Cyber-skulduggery is becoming the bane of modern life. Australia’s prime minister has called it a “scourge[1]”, and he is correct. In 2022–23, nearly 94,000 cyber crimes were reported[2] in Australia, up 23% on the previous year.

In the latest high-profile attack[3], around 15,000 customers of alcohol retailer Dan Murphy, Mexican restaurant chain Guzman y Gomez, Event Cinemas, and home shopping network TVSN had their login credentials and credit card details used fraudulently to buy goods and services in what is known as a “credential stuffing[4]” attack.

So what is credential stuffing – and how can you reduce the risk of it happening to you?

A Dan Murphy's liquor store sign reflects golden sunlight.
Many customers of alcohol retailer Dan Murphy are among those hit by the latest round of credential stuffing cyber attacks. ArliftAtoz2205/Shutterstock[5]

Read more: An expert reviews the government’s 7-year plan to boost Australia’s cyber security. Here are the key takeaways[6]

Re-using the same login details

Credential stuffing is a type of cyber attack where hackers use stolen usernames and passwords to gain unauthorised access to other online accounts.

In other words, they steal a set of login details for one site, and try it on another site to see if it works there too.

This is possible because many people use the same username and password combination across multiple websites.

It is common for people to use the same password[7] for multiple accounts (even though this is very risky).

Some even use the same password for all their accounts. This means if one account is compromised, hackers can potentially access many (or all) their other accounts with the same credentials.

‘Brute force’ attacks

Hackers purchase job lots of login credentials (obtained from earlier data breaches[8]) on the “dark web[9]”.

They then use automated tools called “bots” to perform credential stuffing attacks. These tools can also be purchased on the dark web.

Bots are programs that perform tasks on the internet much faster and more efficiently than humans can.

In what is colourfully termed a “brute force” attack, hackers use bots to test millions of username and password combinations on different websites until they find a match. It’s easier and quicker than many people realise.

It is happening more often because the barrier to entry for would-be cybercriminals has never been lower. The dark web is readily accessible and the resources needed to launch attacks are available to anyone with cryptocurrency to spend and the will to cross over to the dark side.

How can you protect yourself from credential stuffing?

The best way is to never reuse passwords across multiple sites or apps. Always use a unique and strong password for each online account.

Choose a password or pass phrase that is at least 12 characters long, is complex, and hard to guess. It should include a mix of uppercase and lowercase letters, numbers, and symbols. Don’t use pet names, birthdays or anything else that can be found on social media.

You can use a password manager[10] to generate unique passwords for all your accounts and store them securely. These use strong encryption and are generally regarded as pretty safe.

Another way to protect yourself from credential stuffing is to enable two-factor authentication (2FA) for your online accounts.

Two-factor authentication is a security feature that requires you to enter a code or use a device in addition to your password when you log in.

This adds an extra layer of protection in case your password is stolen. You can use an app[11], a text message, or a hardware device[12] (such as a little “key” you plug into a computer) to receive your two-factor authentication code.

Monitor your online accounts regularly to look for any suspicious activity. You can also check if your email or password has been exposed in a data breach by using the website Have I Been Pwned[13].

You may be surprised by what you see. If you do discover your login details on there, use this as a timely warning to change your passwords as soon as possible.

Have your passwords and login details been exposed in a data breach? Tada Images/Shutterstock[14]

Read more: What is LockBit, the cybercrime gang hacking some of the world's largest organisations?[15]

Eternal vigilance

In today’s world of rising cyber crime, your best defence against credential stuffing and other forms of hacking is vigilance. Be proactive, not complacent about online security.

Use unique passwords and a password manager, enable two-factor authentication, monitor your accounts, and check breach notification sites (like Have I Been Pwned).

Remember, the recent attacks on Dan Murphy, Guzman y Gomez and others show how readily our online lives can be disrupted. Don’t let your credentials become another statistic. As you are reading this, the criminals are thinking up new ways to exploit our vulnerabilities.

By adopting good digital hygiene and effective security measures, we can take back control of our online identities.

Read more: An AI-driven influence operation is spreading pro-China propaganda across YouTube[16]

References

  1. ^ scourge (www.news.com.au)
  2. ^ reported (www.cyber.gov.au)
  3. ^ attack (www.cyberdaily.au)
  4. ^ credential stuffing (owasp.org)
  5. ^ ArliftAtoz2205/Shutterstock (www.shutterstock.com)
  6. ^ An expert reviews the government’s 7-year plan to boost Australia’s cyber security. Here are the key takeaways (theconversation.com)
  7. ^ same password (us.norton.com)
  8. ^ data breaches (www.oaic.gov.au)
  9. ^ dark web (en.wikipedia.org)
  10. ^ password manager (www.forbes.com)
  11. ^ app (au.pcmag.com)
  12. ^ hardware device (www.nytimes.com)
  13. ^ Have I Been Pwned (haveibeenpwned.com)
  14. ^ Tada Images/Shutterstock (www.shutterstock.com)
  15. ^ What is LockBit, the cybercrime gang hacking some of the world's largest organisations? (theconversation.com)
  16. ^ An AI-driven influence operation is spreading pro-China propaganda across YouTube (theconversation.com)

Read more https://theconversation.com/what-is-credential-stuffing-and-how-can-i-protect-myself-a-cybersecurity-researcher-explains-221401

The Times Features

Brisbane Water Bill Savings: Practical Tips to Reduce Costs

Brisbane residents have been feeling the pinch as water costs continue to climb. With increasing prices, it's no wonder many households are searching for ways to ease the burde...

Exploring Hybrid Heating Systems for Modern Homes

Consequently, energy efficiency as well as sustainability are two major considerations prevalent in the current market for homeowners and businesses alike. Hence, integrated heat...

Are Dental Implants Right for You? Here’s What to Think About

Dental implants are now among the top solutions for those seeking to replace and improve their teeth. But are dental implants suitable for you? Here you will find out more about ...

Sunglasses don’t just look good – they’re good for you too. Here’s how to choose the right pair

Australians are exposed to some of the highest levels[1] of solar ultraviolet (UV) radiation in the world. While we tend to focus on avoiding UV damage to our skin, it’s impor...

How to Style the Pantone Color of the Year 2025 - Mocha Mousse

The Pantone Color of the Year never fails to set the tone for the coming year's design, fashion, and lifestyle trends. For 2025, Pantone has unveiled “Mocha Mousse,” a rich a...

How the Aussie summer has a profound effect on 'Climate Cravings’

Weather whiplash describes the rollercoaster-like shifts in weather we’ve experienced this summer —a blazing hot day one moment, followed by an unexpectedly chilly or rainy tur...

Times Magazine

HYROX - the World Series of Fitness Racing Arrives Down Under

The Fitness Competition for Everybody – Sydney 12 Aug and Melbourne 26 Aug  The world's fastest growing indoor fitness competition, HYROX, is ready to hit  Australian shores with its signature spectacle of endurance, fitness, and human achieveme...

Protecting Stray Cats in Your Community

Stray cats are a common sight in many neighbourhoods in Melbourne and all around Australia. These feline wanderers, often abandoned or born on the streets, struggle to survive in the harsh urban environment. Many of them face dangers such as traf...

How to Optimize Your Dust Collector’s Performance with the Right Filter Cartridge

The filter cartridge is one of the critical components of your dust collector system, and the efficiency of your system depends largely on it. The type of cartridge used in the dust collection system can significantly influence its performance, cos...

The Paddle Board Offers the Ultimate Adventure

Types of Paddle Boards  Paddle boarding is one of the most popular outdoor activities and it is no surprise why. It’s a great way to explore nature, get some exercise, and just have fun! But before you invest in a paddle board, it’s essential to ...

Managing Your Online Reputation: Strategies for Removing Negative Content

Maintaining a positive online reputation is crucial for individuals and businesses in today's digital age. However, negative content such as negative reviews, defamatory posts, or outdated information can tarnish your reputation and harm your credi...

TWS Andes Earbuds with Active Noise Cancelling

TWS Andes Earbuds with ANC Boasting the most up-to-the-minute Dual Mic Active Noise Cancelling (ANC), the EFM TWS Andes Earbuds offer complete peace as well as peace of mind. The TWS Andes are sweat and dust-resistant IP54 rated and equi...

LayBy Shopping