Cyber crime - don't be a victim

Are you unknowingly handing cybercriminals the keys to your online life? 
Since the beginning of 2024, a surge in account take-overs and fraudulent online orders has plagued Australian and New Zealand online businesses and retailers like The Iconic, Bunnings and many others. While news outlets often cite ‘credential stuffing’ as the cause, many underestimate the alarming simplicity of this type of cyber-attack. 
Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of email addresses and the corresponding passwords.  

Let's break down this alarming trend and how to protect yourself.

The password re-use problem

Credential stuffing doesn't involve sophisticated hacking at all. It's shockingly simple. 
Criminals know that many people reuse the same passwords across multiple services or websites. When your password for one site gets leaked in a data breach, it could potentially unlock all your other accounts that use the same password.

How criminals get your passwords

Massive lists of stolen usernames and passwords are bought and sold on the dark web for just a few dollars. Each list comes from previous data breaches, meaning your details might already be out there without you even knowing.

25 million Australian details for sale on the dark web

A very recent example of the ease in which hackers can obtain and share large data sets of stolen credentials is from Australia Day 2024, where a Russian hacker posted on a popular Dark Web hacking forum that they had the details of a whopping 25 million Australians for sale:

“Australia consumer optimised 25 million leads” the post said.

The list included legitimate emails addresses and passwords. Almost every email address in the list has been shared online multiple times as part of multiple previous breaches and datasets. Unfortunately, your details could already be out there in one of those batches without you knowing it. But don't worry - we'll explain what you can do to protect yourself.

The dangerous fallout of re-used passwords

Imagine one re-used password giving criminals access to your email, banking, financial accounts, social media and more. It's not just about fraudulent purchases; you could face full-blown identity theft. This kind of situation can be very traumatic and can take a long time to resolve and recover from.

Protect yourself and your family – solutions you can use

• Your password vault: use a password manager like Password, Dashlane or Proton Pass. These tools make it easy to generate and store strong, unique passwords for every account you have.
• Double the protection: enable two-factor authentication (2FA) wherever possible. This way, even if your password is exposed, criminals would also need a code from your phone or authenticator application to access your account.
• Email aliases (Tech Tip): if you're tech-savvy, consider using ‘email aliases’ to level up your online security and privacy. They let you create unique, forwarding email addresses for each website or service you sign up for.  This masks your real email address and helps you track where spam or potential data breaches might be coming from.  Some password managers (Proton Pass) and email providers like Apple iCloud offer this email alias feature.

Take action now

• Check for your credentials: see if any of your old passwords have been compromised on https://haveibeenpwned.com
• Reset exposed credentials: for any exposed accounts, ensure you reset the password to a new unique password, and never use the exposed password ever again.  

Don't wait until it's too late. Strengthen your online security today to limit the opportunity for scammers to take advantage of you.