As I predicted, hackers are starting to take advantage of the huge collections of free user credentials floating on the web. This week both Dunkin’ Donuts and OkCupid have had large numbers of their user accounts hacked with credential stuffing.
Credential stuffing is where hackers take a list of usernames and passwords and use them to try and login to a site. They use computer programs that allows them to test thousands of login credentials in minutes. If someone is reusing passwords or using common or weak passwords they will have no problem accessing those accounts.
As those Dunkin’ Donuts and OkCupid users found out, it is almost impossible to prevent hackers from accessing accounts this way. They can block most of the login attempts, but there will always be those that get through. Although Dunkin’ Donuts’ users originally lost access to their Perks accounts the company replaced them and ensured customers didn’t loose any value they had accumulated. The poor folks at OkCupid not only lost their accounts, but had to worry about criminals having access to private messages. Ouch!
So how do you protect yourself against credential stuffing?
- Don’t reuse passwords. I know, I know, I say this all the time, but I am going to say it one more time. I know it is inconvenient and a pain but it really is the only way to protect yourself.
- Use a password manager. This takes the sting out of my first recommendation. Password managers not only store your passwords, but make generating them and logging in a breeze.
- Use the new Password checkup Chrome extension from Google. This puppy has already saved my bacon once. I had come up with a nice secure password. Turns out someone else involved in a data breach had come up with the same one. Password checkup let me know so I could change it.
- Register with haveibeenpwned.com. If you register your email with them, they will email you when your email address shows up in a data breach. If you are still reusing passwords, this gives you time to change it. Credentials stolen in data breaches often show up on the dark web for sale before the breached company even knows their user’s data has been compromised.
- Enable two factor authentication on every account that has is available. Two factor authentication requires you to enter an authentication code or respond to a prompt from an authentication app only when you login to a unknown device.