Adviser Connect – March 2024

Are you unknowingly handing cybercriminals the keys to your business & online life?

Since the beginning of 2024, a surge in account take-overs and fraudulent online orders has plagued Australian online businesses and retailers like The Iconic, Bunnings and many others. While news outlets often cite "credential stuffing" as the cause, many underestimate the alarming simplicity of this type of cyber-attack. 

Let's break down this alarming trend and how to protect yourself:

The Password Re-Use Problem

Credential stuffing doesn't involve sophisticated hacking at all. It's shockingly simple. 

Criminals know that many people reuse the same passwords across multiple services or websites. When your password for one site gets leaked in a data breach, it could potentially unlock all your other accounts that use the same password. 

How Criminals Get Your Passwords

Massive lists of stolen usernames and passwords are bought and sold on the dark web for just a few dollars. Each list comes from previous data breaches, meaning your details might already be out there without you even knowing.

25 Million Australian Details For Sale On The Dark Web

A very recent example of the ease in which hackers can obtain and share large data sets of stolen credentials is from Australia Day 2024, where a Russian hacker known as “Jasperoliverx” posted on a popular Dark Web hacking forum that they had the details of a whopping 25 million Australians for sale: 

“Australia Consumer Optimised 25 million Leads” the post said. 

The list included legitimate emails addresses and passwords. Almost every email address in the list has been shared online multiple times as part of multiple previous breaches and datasets.

Unfortunately, your details are probably already out there in one of those batches right now without you knowing it. But don't worry - we'll explain what you can do to protect yourself. 

The Dangerous Fallout of Re-Used Passwords

Imagine one reused password giving criminals access to your email, banking, financial accounts, social media, and more. 

It's not just about fraudulent purchases; you could face full-blown identity theft. This kind of situation can be very traumatic and can take a long time to resolve and recover from.

Protect Yourself & Your Clients – Solutions You Can Use

•    Your Password Vault: Use a password manager like 1Password, Dashlane or Proton Pass. These tools make it easy to generate and store strong, unique passwords for every account you have.

•    Double the Protection: Enable two-factor authentication (2FA) wherever possible. This way, even if your password is leaked, criminals would also need a code from your phone or authenticator application to get in.

•    Email Aliases (Tech Tip): If you're tech-savvy, consider using “email aliases” to level up your online security & privacy. They let you create unique, forwarding email addresses for each website or service you sign up for.  This masks your real email address, and helps you track where spam or potential data breaches might be coming from.  Some password managers (Proton Pass) and email providers like Apple iCloud offer this email alias feature.

Take Action Now

•    Check for Your Credentials: See if any of your old passwords have been compromised on https://haveibeenpwned.com

•    Reset Exposed Credentials: For any exposed accounts, ensure you reset the password to a new unique password, and never used the exposed password ever again. 
 
Don't wait until it's too late. Strengthen your online security today!