The growing cyber threat of credential stuffing

Keep your passwords unique to avoid falling victim

03 Jun 2019

Key takeaways

  • Reusing the same combination of usernames and passwords on more than one website is a serious security risk.
  • Always use unique passwords on every site. The easiest way of doing so is with a password manager.
  • If a password manager isn’t right for you, consider at least using longer passwords with random words that don’t make sense together.

Do you use the same username and password on multiple websites? While it’s a common habit that countless people use to avoid forgetting their login details at a growing number of websites and apps, this practice can be incredibly dangerous for your financial and identity security.

If you are an adult in the United States, chances are you have fallen victim to a data breach at some point. Billions of usernames and passwords have leaked in the past and many of them sit in large repositories of stolen data on the dark web. If you don’t take fast action to avoid it, you could become the next victim of a credential stuffing attack.

What is credential stuffing?

Credential stuffing is “a type of a cyber attack where stolen account credentials, like a username and password, have been gathered by another data breach,” says Ellen Segriff, Head of Privacy, Cyber and Information Security for Wealth Management in the Americas, UBS. In a credential stuffing attack, hackers automatically—and on a large scale—take your login credentials that have been stolen from one site and input them across multiple other popular Internet sites to see if any of them work.1 “The bad actors will take those usernames and passwords and use a brute force attempt to use them to log in to those accounts,” Segriff says.

“What they are counting on is that you are using the same username and password on every site.” So, for instance, if your username and password at work is compromised and you use those same credentials to log in to your social media accounts, then those accounts could also be in jeopardy.2

Reusing the same combination of usernames and passwords on more than one website is a serious security risk. Website breaches are so common that your common password may already be in a public database. If that’s the case, a hack of your account may be just a matter of time.

Safely managing online identities

Always use unique passwords on every site. “The easiest way is to get a password manager,” Segriff explains. “You will get a unique password for every website and it’s less work and more secure.”

Password managers allow you to save a secure list of usernames and passwords that automatically fill in your browser using a plugin or extension. Segriff says “this is particularly helpful if you use lots of sites that use unique credentials.”

There are several popular password management apps available today. If you are choosing one, look for an app that works across all of your devices while maintaining the highest levels of security and encryption.

If a password manager isn’t the right solution for your needs, “it’s now considered a little more safe to use longer passwords with random words that don’t make any sense together.” Also called a key phrase, this type of password is “harder to crack.”

Stay safe and savvy in the online world

If you get hacked, “someone can go into your account and make you a victim of identity theft,” Segriff warns. “They can get ahold of your financial information and execute financial transactions on your behalf.”

Segriff also explains that if someone gets your most private financial information, like your Social Security number, they can open credit cards and make purchases in your name.

If you use a credit freeze and stick with strong password habits, however, your accounts should be safe from this kind of attack. No one has the luxury of ignoring online security. Your financial well-being depends on it.


Connect with your UBS Financial Advisor

To explore ways to help grow your wealth.