Cloud Hosting

A cyber security researchersays reusing passwords is like creating a skeleton keyhackers can use to hijack accounts through a process known as credential stuffing.

The form of online fraud resulted in a Byron Bay woman being ordered to pay more than a million dollars in damages to Adidas and the National Basketball Association (NBA) in America after her PayPal account was hacked.

Sarah Luke said the hackers took control of her account, in an attack that affected 35,000 PayPal customers in December.

Credential stuffing involves hackers accessing an account by using automation to try out username and password pairs sourced from data leaks on various websites.

Troy Hunt is a cyber security expert and creator of website Have I Been Pwned, which collects information ondata breaches and helps people establish if they've been caught up in them.

Hesaid most people's digital footprint was so largeit was hard to identify where data breaches originated.

"The thing most people don't realise is that we have all been in data breaches that not only we don't know about, but the organisations that have been breachedprobably don't know about," he said.

"If you think you have less than 100 accounts, and you've been on the internet for more than about 10 years, you're probably wrong."

Professor of Cyber Security Practice at Edith Cowan University,Paul Haskell-Dowlandtold ABC NSW Drive thatwhile Ms Luke's case was "extreme", it was common for "personal information to be stolen or leaked and misused by criminals".

"Given the global situation, we're certainly seeing a continued interest from cyber criminals in obtaining or stealing data in relation to what we might think are relatively mundane pieces of our lives," Professor Haskell-Dowland said.

"Scams alone are now costingAustralians billions of dollars every year and, when you look across the globe, the sums are in the order of trillions of dollars of economic damage or direct losses."

Ms Luke has said she was only aware of being affected by the October 2022 Medibank data breach.

But Medibank said none of its customers' passwordswere compromised in the breach.

Mr Hunt said it was possible for hackers to "socially engineer"their way into something like a PayPal account.

But he said without a password, it would have required the hackers convincing the service that they were the victim before it handed them control of an account.

Mr Hunt said the other way hackers could have accessed Ms Luke's PayPal account was through an unknown data breach or breaches.

"Very often we see other data breaches, which do leak passwords," he said.

"And due to the prevalence of password reuse, you could go to those data breaches as an attacker, take the passwords and log into someone's account."

Mr Hunt said personal data like usernames and passwords was now "so prevalent" online it existed not just on the dark web, but also on the clear web, traded in public forums and posted to social media accounts.

"It's just amazing how far our email address and password pairs travel in credential stuffing lists," he said.

"Trying to remove your data from the internet is like trying to remove pee from a pool.

"It is very hard to actually get that information back offline."

Credential stuffing relies on people re-using passwords, Mr Hunt said.

A good way to avoid it, he said, was to use a secure password manager that generatedunique and strong passwords for each online account.

"When you have a unique password for each and every site, that kills credential stuffing dead in its tracks," he said.

Mr Hunt said the first step was to get a digital password manager and start with the most important accounts first, such as email.

"Your email account is enormously valuable, because that's used very often to reset the passwords for your other accounts," he said.

Mr Hunt said it was "never too late" for people to make their online accounts harder to hack.

Go here to read the rest:
Byron Bay woman's Paypal data breach nightmare exposes risks of 'credential stuffing'. So how do you avoid it? - ABC News