TOM JEWKES

I imagine one day I’ll own a 1970 Corvette Stingray. It will have its own garage. I’ll lock the garage doors when I’m not using it to make sure it’s safe. I’ll put an alarm on the building — to be sure. And I WON’T leave the keys in it!

A few months ago, my mother-in-law told me her email “broke.” For a few days, she hadn’t received any emails in her Outlook Client. So, I took a peek at her Cox webmail. I found a message stating the account was locked, due to suspicious activity. After a couple hours with tech support, we were able to get in. We found the account had been sending hundreds of spam emails every day. A criminal had hijacked her mail.

Recently I read a blog post in Dentaltown from a dentist victimized like this. His email account had become an unwitting offender. How did this happen to them? Will it happen to you? How can you prevent it?

These email accounts fell victim to what we call a “credential stuffing attack.” It’s often performed by software known as “bots.” See, websites should be storing your username/password pairs (AKA “credentials”) in an encrypted database, but they often don’t. It’s like storing a 1970 Corvette Stingray in your garage (keys in the switch), and then leaving the door wide open. You’d never do that, but websites do — all the time!

Criminals break into those websites and scoop out your credentials. Then, those same criminals dump your credentials on the dark web. Other crooks snag these breached credentials from dark web, Amazon-like sites. They then code their bots with lists of credentials, including yours. Finally, the bot logs into your email account.

Picture this: You use your Gmail address as the username to log into scrapbook.com. Then, you use the same password for scrapbook.com that you use for your Gmail account. A criminal breaks into scrapbook.com. If the database isn’t encrypted (the doors were left open), the thieves steal your credentials. In essence, the criminal drove away in your beloved Stingray!

It happened because you used the same key for every door you own: Your house, your Stingray garage, your business office, your mailbox… You get my point? Worst of all, you left a copy of the key taped to the front door of your house, right in plain sight.

We often recommend in these articles that you make sure and use unique passwords for the bucketload of websites you log into. Certain sites are more critical, for example, your email account, as well as your bank account and other accounts containing your financial information. Use a password manager like Bitwarden. If you use a long, unique passphrase, instead of a short password, and you use a different passphrase for each site you visit, then you reduce the chance of becoming a credential stuffing victim.

Co-written by Dan Gavin and Tom Jewkes, the cyber guys from CyberEye. An archive of past articles can be found at www.cybereyeaw.com/blog Contact us at gavin@cybereyeaw.com and tom@cybereyeaw.com