Credential stuffing is back in the headlines after thousands of Aussies had their personal information stolen this month. So, what is it?
Well, credential stuffing is even more unpleasant than it sounds. It's when hackers take a stolen list of usernames and passwords and try using them on other devices and websites - typically, shopping sites, such as The Iconic.
Using automated tools, criminals can potentially make purchases worth thousands of dollars before being detected.
Have you been a victim of credential stuffing? Let us know at email@example.com
Reports suggest as many as 15,000 Australians have been hit in new credential-stuffing attacks this year alone.
"This is a scourge and there are so many vulnerable people being ripped off who've acted in absolutely good faith and we need to make sure they are protected," Prime Minister Anthony Albanese said on Wednesday.
But any changes to the law would take time to introduce into parliament. And the problem is huge. Credit card fraud accounted for more than $1 billion in losses in 2023, Finder research found.
It's scary stuff. So, what can you do to make sure it doesn't happen to you?
How does credential stuffing work?
If criminals successfully hack into online systems, their first target is trying to get details of usernames, email addresses and passwords. Most online retailers store these in encrypted form so, even if criminals gain access to systems, that doesn't mean they can use the passwords.
However, sophisticated attacks can sometimes gain access to unencrypted information. That information is then traded on the ‘dark web’, with criminals paying for access to lists of emails and usernames. Credential stuffers then try to use those details to log into other popular sites.
If you've used the same password on multiple sites and those details are stolen from just one store, every other account using the same password is potentially vulnerable. Cyber-criminals don't need to try to log into each account individually, they use automated tools to test thousands of accounts.
Even if many logins don't work, the ones that do can be used for criminal activity. That's especially the case if you've stored your credit card details with a store and it doesn't ask for additional details, such as the CVV from the card or a login token from your banking app.
How can you stop credential stuffing happening to you?
The key fix is simple: Never use the same password on more than one site. Reusing passwords is what makes people vulnerable to attacks.
Fortunately, that doesn't mean you have to memorise a new password for every site you use. Use the built-in password-saving option on your phone's browser (Safari, Chrome, etc), and ask it to generate unique and hard-to-guess passwords for you. That way, you can easily have a unique password for every site you use. Even if details get stolen from one site, they won't be usable anywhere else.
For further protection, don't share your credit card details if you don't have to. Payment options such as PayPal enable you to pay without sharing all your information with an online store.
What can I do if my details have been compromised?
If you think you've been the victim of credential stuffing, take these crucial steps:
Contact your bank to report the transactions and ask them to freeze your credit cards. This will stop anyone else from making payments using them
Report any unauthorised transactions to the store involved
Report the incident to the Australian Cyber Security Centre