If you need a reason not to reuse the same username and password for your online accounts (and there are many reasons), you might start by increasing your chances of avoiding a specific but very common type of cybercrime: credential stuffing attacks

Credential stuffing is a form of brute force password attack that takes advantage of people reusing login information, or credentials, across multiple accounts

According to Atlas VPN's 2020 report, there were approximately 36 million credential stuffing attacks every hour While only a small fraction were successful, the impact was significant: credential stuffing attacks caused $64 billion in damage from 2015 to 2020

So how does credential stuffing work and how can it be avoided?

In a credential stuffing attack, hackers obtain usernames and passwords that have been compromised in a data breach and begin plugging them into other websites with the goal of gaining access to insecure accounts

Because cybercriminals try multiple credentials on multiple accounts, this method is a kind of brute force attack, amounting to a fast-paced guessing game

The difference from a regular brute force attack is that the guessing is not completely random Thanks to the tendency to reuse login credentials, the hacker already has the username and password The hacker just doesn't know which account that credentials will unlock

For example, suppose you use the same username and password for your primary email account, your online banking account, your social media account, and your shopping site account

Now, one of these four accounts is compromised in a data breach The hacker has credentials to log into your other accounts, which may include sensitive information such as credit card numbers, banking information, and private messages

These bad guys only need to work hard enough, long enough, to find your other accounts

This is where automated tools come in These tools can hit websites with thousands of login attempts per hour They can also make malicious login requests look legitimate, which can make it difficult to detect that such an attack is taking place

Although the success rate of login attempts through credential stuffing is estimated to be between 01% and 2%, the likelihood of being victimized is not low If an automated tool can test 100,000 sets of credentials on a single website, you can get between 100 and 2,000 accounts You do not want your accounts to be among them

Stolen credentials are not in short supply; the website HaveIBeenPwned can check if passwords and usernames were compromised in a data breach

Large-scale data breaches occur regularly, affecting Facebook, T-Mobile, Microsoft, Walgreens, and many others; in 2012, everyone with a LinkedIn account had their login credentials stolen, and in 2013, everyone with a Yahoo! accounts were stolen

The most important action you can take right now is to seriously start changing your passwords, starting right this minute Start with the credentials you use for multiple websites and make sure your passwords are not repeated

While you're at it, practice good password hygiene for accounts that contain sensitive personal information, starting with those that hackers might use to steal your identity or money This includes all bank and financial accounts, all websites that store your credit card numbers, and all social media sites

While any credential is susceptible to data breach, using strong and unique passwords will help protect your accounts from access by credential stuffers

Here are some tips for protecting your online passwords:

One reason we reuse basic passwords is that it is difficult to remember many sets of complex credentials A good password manager will store your login information and auto-fill it for you when you need it, so you don't have to memorize it or write it down on paper

Additionally, the best password managers have generators to create strong and unique passwords Some also have security dashboards that let you know if there has been an information breach and which passwords have been reused

Credential stuffing need not be an inevitable consequence of spending time online By organizing your usernames and passwords, you can minimize the risk