What Can Scammers Do With Your Old Passwords?
Late last year, hackers set their sights on sports betting site DraftKings. In a single weekend, several customers lost access to their accounts, with losses topping $300,000 [*]. But here’s the scary part: DraftKings itself was never hacked.
Instead, hackers used leaked passwords and usernames from other accounts in what’s known as a credential stuffing attack. If users were careless enough to reuse passwords, hackers had no problem accessing their DraftKings accounts.
Credential stuffing attacks are among the largest online threats in 2023 for one main reason:
Only 12% of people use different passwords for every online account [*].
Late last year, both Norton LifeLock and LastPass were hit with credential stuffing attacks, leaving the accounts of over one million customers compromised. When hackers crack one account, they can use the same password combinations to access others.
In this guide, we’ll explain how credential stuffing attacks work, how to protect your accounts, and what to do if you’ve been hacked.
What Is a Credential Stuffing Attack? How Does It Work?
Credential stuffing is a type of cyberattack in which hackers use software and botnets to rapidly test lists of stolen passwords and usernames in order to gain unauthorized access to someone’s online accounts.
Auth0 — a tool that helps authenticate users when signing in to online accounts — detected almost 10 billion credential stuffing attempts on its platform in the first three months of 2022 alone [*].
Here’s how credential stuffing works:
- Hackers buy or download a large list of usernames and passwords from the Dark Web.
- The cybercriminals set up bots to automatically attempt logins to multiple user accounts. These attempts are made in parallel, and the bots can evade detection by masking their IP addresses.
- If the bots find a match, the hackers gain access to your accounts. At that point, the criminals can steal personally identifiable information (PII), like credit card numbers, Social Security numbers (SSNs), or other valuable data.
- Whenever the bots gain access to one account, they automatically try the same password pairs on other accounts.
- The hackers monitor the progress of the attack, recording every successful set of credentials. The perpetrators can keep the user account information for future attacks, or they can sell it to scammers and identity thieves.
This type of cyberattack may seem complicated, but it’s become an attractive option for hackers for a number of reasons.
First, stolen credentials are widely available on the Dark Web. For example, “Collection #1–5” contains over 2.2 billion usernames and passwords and is available in plaintext on hacker forums [*].
Next, upwards of 65% of people rely on the same password for multiple accounts [*]. If hackers find a match on one account, they’ll try it across multiple services and sites.
Finally, hackers have built automation tools that can submit thousands or millions of fraudulent login requests a day [*] — even bypassing security measures such as Captchas by using different IP addresses.
Credential stuffing is a numbers game. While the success rate of credential stuffing attacks typically hovers between 0.2% – 2% [*], this cyber threat is growing. Even if the odds of success are 1 in 100, a large-scale attack with credential stuffing tools can be extremely profitable.
Credential Stuffing vs. Brute Force Attacks: What’s the Difference?
A brute force attack is another common hacking method similar to credential stuffing. But there are several important differences between these password-focused attacks:
A good defense against brute force attacks is to create long, complex passwords that combine uppercase and lowercase letters, numbers, and special characters.
To defend against credential stuffing, you must create unique, strong passwords for every account (and ideally store them in a password manager that will warn you if they’ve been compromised). If you reuse the same password across multiple accounts, hackers could compromise all of your accounts at once.
How To Protect Your Accounts Against Credential Stuffing Attacks
- Scan the Dark Web for your compromised credentials
- Use unique and strong passwords for each account
- Store your unique passwords in a secure password manager
- Enable two-factor authentication on every possible account
- Keep your software and operating system up to date
- Delete old accounts and clean up your cybersecurity
- Consider signing up for a digital security solution
Tighter security measures can stop hackers from taking over your accounts. Here are seven actionable ways that you can fight back against the threat of credential stuffing and account takeovers:
1. Scan the Dark Web for your compromised credentials
After a data breach, hackers buy and sell valuable personally identifiable information (PII) on The Dark Web — including leaked passwords and usernames. For example, hacked social media accounts sell for as little as $25 [*].
If you fear (or know) that your accounts are compromised after a breach, you should preemptively change your passwords before someone targets you with a credential stuffing attack.
How to find out if your passwords are on the Dark Web:
- Use Aura’s free Dark Web scanner to discover any leaked passwords associated with your email address.
- Use the Identity Guard Dark Web scanner to check your personal data exposure after a breach.
- Check HaveIBeenPwned to see if your email or phone number is compromised after a data breach.
2. Use unique and strong passwords for each account
Upwards of 90% of internet users worry about their passwords getting hacked. And yet, 51% of people continue reusing passwords across work and personal accounts (most likely to avoid having to remember complex passwords) [*].
You can get more peace of mind when you create a strong, different password for every account.
Here’s how to create better passwords:
- Make it long. Going beyond the minimum standard will help you create stronger passwords. Aim for 12-15 characters.
- Use a mixture of uppercase and lowercase letters, special characters, and symbols. Alternatively, create a passphrase if it’s easier for you to remember (for example, “LeBronIsTheGOAT”). But remember, passphrases don't have to be logical. A random sequence is more difficult to crack.
- Make it impossible to guess. Avoid birthdays, pet names, and obvious keyboard paths like “qwerty” or “12345” that could be easily guessed.
- Avoid common substitutions. Hackers have a dictionary loaded with commonly used passwords for brute force attacks. Don’t trust codes like “pa$$word” or “password1” to keep your bank account or email inbox safe.
💡 Related: Deep Web vs. Dark Web — What You Need To Know →
3. Store your unique passwords in a secure password manager
On average, every Americans has over 100 online accounts that require passwords [*]. This can make it nearly impossible to remember unique and complex passwords on your own. (And it compromises them even more when you write your passwords down on paper or type them out in a document on your computer).
Instead, the most secure way to store your passwords is with a robust password manager application.
Here’s what to do:
- Use Aura’s password manager to help you create and securely store your login credentials. Aura can also warn you if a password has been compromised or is too weak.
- With a single click, Aura can also update your passwords to be more secure on select sites.
4. Enable two-factor authentication on every possible account
Two-factor authentication (2FA) adds an extra layer of security to your accounts and personal data by requiring two distinct forms of identification before granting access.
If your passwords are leaked, hackers won’t be able to use credential stuffing attacks because they won’t have access to your second authentication factor.
Here’s what to do:
- Go to the security settings of your online accounts to set up 2FA. Basic settings allow for your email or phone number to be the second factor.
- Consider push notifications or an authenticator app for more security. Avoid relying on SMS as it can be hacked.
- Consider using additional forms of multi-factor authentication (MFA) for high-value accounts, such as a hardware security key or biometric authentication.
💡 Related: How Does Two-Factor Authentication (2FA) Work? Do You Need It? →
5. Keep your software and operating system up to date
Hackers look for security vulnerabilities in outdated software that they can use to gain access to your accounts. It's good practice to install updates and patches as soon as possible — before hackers exploit the flaws.
Here’s what to do:
- Enable automatic software updates whenever possible. This setting ensures that you always get the most recent security patches as quickly as possible.
- Stop using unsupported end-of-life (EOL) software. The Cybersecurity and Infrastructure Security Agency (CISA) advises that [*]: “Continued use of EOL software poses a consequential risk to your system that can allow an attacker to exploit security vulnerabilities.”
- Always install updates by downloading files directly from the official vendor sites. Avoid clicking on advertisements and email links, and never download while browsing on an untrusted network.
6. Delete old accounts and clean up your cybersecurity
We all have old accounts that we don’t use anymore. You may think there’s no harm in abandoning these accounts without actually closing them. But every old account is another entry point for hackers to exploit and access your personal information online.
With one successful credential stuffing attack, someone could access your account and personal data. It’s better to reduce the attack surface by closing down old accounts.
Here’s how to clean up your digital footprint:
Check your web browsers to find old accounts. Here’s where to look in each of the major browsers:
- Chrome: Go to Settings > Passwords
- Safari: Go to Preferences > Passwords
- Firefox: Go to Preferences > Privacy & Security > Saved Logins
- Edge: Go to Settings > Profiles > Passwords > Saved Passwords
You can also check password managers for saved login credentials. If you’ve opted for a password manager instead of saving details to your browser, you can recover other old accounts here.
Finally, check your social media accounts. Many of us use our Facebook or Google accounts to log in to other web applications. This approach is made possible by an application programming interface (API).
While this third-party technology is quick and convenient, it also makes your user credentials more vulnerable to hackers. You can find and delete connected accounts by viewing the security settings of all these API services, including Facebook, Google, Instagram, Twitter, and your Apple ID.
💡 Related: How To Reduce Your Digital Footprint & Protect Yourself Online →
7. Consider signing up for a digital security solution
Even if you create the strongest passwords, your accounts may be compromised if your data is leaked in a breach. An identity theft protection solution offers the maximum level of security for you and your entire family across all devices and browsers.
Here’s how to find a good digital security solution:
- Research the best identity theft protection companies to find a service that suits your needs.
- Look for a reliable application that offers a password manager, a virtual private network (VPN), Dark Web monitoring, and fast alerts in the event of any suspicious activity.
- Choose a service that provides support to help you recover your identity and finances if you become a victim of identity theft.
Is It Safe To Use a Password Manager?
Password managers were designed to protect user passwords from untrustworthy people. However, hackers now have more sophisticated tools and techniques that threaten even the most reputable digital security tools.
Last year alone, both Okta and LastPass were hit with data breaches and credential stuffing attacks [*].
While this can make it sound like password managers are not as secure as they once were, the good news is that these tools encrypt your credentials. This means that even if their databases are hacked, your passwords are most likely still safe.
With Aura’s password manager, you’re protected by:
- Military-grade encryption. Aura converts the personal information that you provide to unreadable data using military and bank-grade encryption technology. For instance, Aura’s systems use TLS 1.3 for data transfer and AES-256 for storage.
- Third-party security certification. Aura is SOC 2 certified. This third-party auditor certification is given when an organization meets the AICPA’s (American Institute of Certified Public Accountants) standards of security, confidentiality, and privacy on customer data.
- Breached or weak password warnings. Aura proactively alerts you to weak or breached passwords. These notifications help you identify potential threats and prevent account hacking.
Were Your Accounts Hacked? Do This ASAP
Once a hacker strikes, your personal information, identity documents, and finances are all at immediate risk. You need to act fast to stop the damage if you spot any warning signs of a hack — such as failed login attempts or the discovery that you’re locked out of accounts.
Here are 10 steps to take to recover from a hacked account:
- Change your passwords immediately. If you learn that a company with which you have an account has been breached, don’t assume your account is safe. Now is the time to change your password to something long, strong, and impossible to guess.
- Freeze your credit. You can contact each of the three credit bureaus — Equifax, Experian, and TransUnion — to place a freeze on your credit file. This stops anyone from opening new accounts in your name.
- Unlink compromised accounts. If someone hacks your Facebook account, they can access every account that your Facebook is connected to online. It’s best to unlink any compromised accounts to minimize the damage.
- Enable strong two-factor authentication. At a minimum, you should use push notifications or an authenticator app for your online accounts. Consider biometric authentication or a hardware key for banking, email, and tax accounts.
- Scan your devices for malware. Antivirus software will help you detect threats and isolate them before they corrupt your accounts and steal your data.
- Secure your Wi-Fi network. If you think hackers have access to the network, it’s best to disconnect all devices from it quickly. You can reset the router, create a new network password, and disable remote administration.
- Update your operating system and software. Ensure that all devices and applications have the latest updates and security patches, or you risk being exploited by future attacks.
- Warn your friends and family. If the attackers claim any of your personal data, they may use it to target others related to you with impersonation scams and phishing attacks. Let your contacts know to be on guard.
- Recover access to your hacked accounts. Most companies have a specific process in place for recovering a hacked account, including your Apple ID, Facebook, Instagram, and Gmail. Follow the official instructions to report the hack and regain full access to your account.
- File a report with the Federal Trade Commission. If you believe you are the victim of identity theft, you can get support from the FTC. Visit IdentityTheft.gov to submit an affidavit. The FTC will provide you with a recovery plan and help you recover from identity theft.
💡 Related: How To Protect Yourself From Account Takeover Fraud (ATO) →
The Bottom Line: Protect Your Passwords From Hackers
Staying safe online has never been harder. Most of us struggle with security complexity. To make our lives easier, we reuse passwords and choose memorable codes for our email, banking, and social media accounts. But password reuse is playing into the hands of cybercriminals.
With an identity theft protection solution, you get maximum security for all of your accounts — without having to remember hundreds of complex passwords.
Aura helps keep you safe online with:
- A password manager that allows you to create and store unique, complex passwords for every account. You can also automatically update any password with one click.
- Virtual private network (VPN) and Anti-virus software to protect your devices against malware, spyware, and ransomware threats by using military-grade encryption and Wi-Fi protection.
- Dark Web monitoring that scans the internet in real-time and alerts you if any of your personal information is circulating on the Dark Web.
- 24/7 three-bureau credit monitoring with rapid fraud alerts that are up to 4x faster than other digital security providers.
- Award-winning identity theft protection that monitors your most sensitive information — such as your SSN and financial accounts.
- $1,000,000 insurance policy to cover eligible losses due to identity theft, such as stolen money, credit cards, and passports.