Over the past few years, criminals have stolen more than a billion user names and passwords from many websites across the Internet, including LinkedIn, Adobe, and Tumblr. Criminals use these stolen user names and passwords to log in to other sites, including Exchange, Google, TeamViewer, GoToMyPC, and other popular sites. Many of these logins succeed because people reuse their passwords.
You can check to see if your password was stolen in one of the larger breaches at this link. You do not need to supply your password to check. This database does not include all breaches, so even if your password is not listed as stolen, you may still be at risk.
There’s a huge amount of hacked data floating around the web, and every week you hear of another site getting hacked, and all of those credentials are being advertised around the internet, but then what? What do hackers and others with bad intentions do with all of those email addresses and passwords? Among other things, they attempt to break into accounts on totally unrelated websites. And this is where the real problems begin.
Like it or not, people reuse passwords. Most people are just out there with the same password or three across all of their accounts. The hackers know this, so they’re going to try and break into as many other accounts as they can using the credentials collected from a data breach. One way this is accomplished is through credential stuffing.
Credential stuffing is the automated injection of breached user name/password pairs to fraudulently gain access to user accounts. This is a subset of the brute force attack category, where large numbers of compromised credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.
This is a serious threat for a number of reasons.
- It’s enormously effective because of the password reuse problem.
- It’s hard for organizations to defend against because a successful “attack” is someone logging on with legitimate credentials.
- It’s easily automatable, and you simply need software that will reproduce the logon process against a target website.
- There are readily available tools and credential lists that enable anyone to try their hand at credential stuffing.
We’ve all done it at one time or another, but please remember to use separate passwords for each of your accounts. If you reuse any of your passwords, please change them immediately. Consider using a password manager to allow you to have separate, strong passwords created automatically for all of your accounts.
Never use your UMID password for any other site, including other UMB sites.