Credential stuffing – What is is and why you should care

You may have heard recently about the credential stuffing incident involving some 15,000 customers of a number of big brands, including Guzman y Gomez, Dan Murphy’s, Event Cinemas and Binge – just to name a few.

The incident has seen some compromised customers losing hundreds of dollars through transactions that were processed on their accounts.

What is credential stuffing?

Credential stuffing campaigns work through trial and error.  They involve a cyber criminal taking usernames and passwords that may have been accessed through a data breach, and then trying those same credentials on other websites in the hope that a user has re-used the same username and password combination on multiple sites.

If you’re one of the 52% of people who uses the same email and password combination on multiple sites, you’d best read on.

Should I be concerned?

Don’t be fooled into thinking “it won’t happen to me”.  Thousands of Australians are impacted by data breaches like this each and every day, costing in the vicinity of over $300 million in 2021.

You may think it doesn’t matter if a cybercriminal gains access to your Dan Murphy’s account as you’re not too worried if they see you enjoy cask wine instead of the bottled variety.  However, imagine if you were one of the many online shoppers who save their credit card to their accounts?  Or perhaps you had gift cards loaded to your account that they could spend?

How can I protect myself?

Regardless of whether you’re a customer that was impacted by this incident or not, we have 5 top tips that we recommend everyone follows:

  1. Never use the same password across multiple logins or platforms.
  2. When signing up for a new service or platform, never opt to ‘Login with Facebook’ or ‘Login with Google’ – always create unique logins.
  3. Ensure you have a complex password, or better yet, use a pass phrase.
  4. To help make sure you use complex passwords, use a password manager app to store and maintain all your passwords for you.
  5. Turn on multi-factor authentication wherever you can so in the event a password does get leaked, they still can’t log in to your account without that secondary code.

Burying your head in the sand could cost you thousands of dollars.

If confused or in doubt, please seek advice from someone who understands cyber security.

If you’re a business with a team, we can assist with running Cyber Security training which helps to protect both them, and you.

Contact our CET Team today
for a complimentary assessment and consultation