We rely heavily on digital credentials for our daily activities, whether it be banking, social media, work or accessing health services. These credentials typically consist of a username and password, and we trust that they are secure and only in our possession. However, the reality is that our credentials very often fall into the wrong hands, and we may not even be aware of it. In this blog post, we will explore how your credentials could already be in the wrong hands and what you can do to regain control.
This is how hackers get your credentials
Often cybercriminals steal login credentials without either the service providers or user detecting its credentials has been stolen. Here are some common ways that your credentials are stolen by cybercriminals.
Data Breach
One of the primary ways that credentials can be stolen is through data breaches. A data breach occurs when a hacker gains unauthorised access to a company’s database and steals sensitive information, including usernames and passwords. If you have ever received a notification from a company that your account may have been compromised, it’s likely that your credentials were included in the breach. This stolen credential is used by the hacker or sold to others on the dark web to commit identity theft.
Large-scale data breaches have become increasingly common in recent years, affecting millions of people worldwide. The Verizon Data Breach Investigations Report (DBIR) 2022 found that the theft of credentials was the leading cause of security breaches in 2021. This trend continued in 2022 and 2023, with several high-profile data breaches crippling major retailers, financial institutions, and even government agencies. For example, in January 2023 alone: T-Mobile suffered a data breach that impacted around 37 million customers. Paypal User accounts were accessed by hackers using stolen login credentials, personal data of 200 million Twitter users were stolen and it’s being sold on the dark web for as little as $2.
Never use same password for more than one account. Password reuse is catastrophic, one stolen password gives the hacker access to all your accounts.
If you are a customer of a company who have experienced a data breach, then it’s likely your credentials are already with cybercriminals.
Phishing
Phishing employs deception to trick users into revealing sensitive information. In a phishing attack, the hacker sends an email or a text message that appears to be from a legitimate source, such as your bank or an online retailer. The message contains a link that leads to a fake website, where you are prompted to enter login credentials. Once the credentials are entered, the hacker uses them to access the account. The hacker may choose to change the account credentials after gaining access to lock you out of the account.
Be wary of suspicious emails, links, attachments and websites. Do not click on random links and attachments. If an email or website looks suspicious, do not enter your login information. Even MFA tokens can be stolen and used immediately to hijack your account.
Phishing attacks are one of the most common ways that hackers steal login credentials (usernames, passwords and codes). Phishing is becoming more sophisticated that it can bypass most multi-factor authentication methods.
It accounts for more than 82% of all breaches and is the costliest form of data breach, USD 4.91 million in breach cost as reported by IBM .
Social Engineering
It is also possible for credentials to be compromised through social engineering. Social engineering involves the use of psychological manipulation to trick users into revealing their login information. For example, a hacker may pose as a tech support representative and ask you for your username and password in order to “fix” a problem with your account. In some cases, the hacker may even impersonate the your friends or family members in order to gain trust.
Keylogging
Keylogging is a technique that hackers use to record every keystroke you make on your computer. This allows them to capture your credentials without you being aware of it. Keylogging software can be installed on your computer through malicious emails, social media messages or even downloaded unknowingly from websites.
Brute Force Attack and Guessing
Brute force attack (guessing) is another common way that your credentials get to hackers. With brute force attack, different password combinations are tried on your account by hackers until they get the correct password to log them in.
Brute force is mainly caused by weak/insecure passwords. A breach report by the UK NCSC revealed that 23.2 million victim accounts worldwide used 123456 as password. 7.7m accounts use 123456789 while 3.8 million people use qwerty as their passwords. Names such as Ashley are used 432,276 times.
The fundamental issue with password is that people tend to choose what they can remember and as a result, makes it very easy for hackers to guess them.
So, what can you do to protect your credentials?
Cybercriminals often use readily available off-the-shelve techniques to obtain login credentials (usernames, passwords , OTP and SMS codes). Only in rare cases that sophisticated techniques are employed by hackers to compromise organisations and user accounts. A Verizon DBIR found that “81 % of all breaches are caused by weak/insecure credentials”. This is because most organisations and users fail to keep basic security practices.
Here are some steps that individuals and organisations can take to protect their credentials and prevent them from falling into the wrong hands.
- Never use same password for more than one account. Password reuse is catastrophic, one stolen password gives the hacker access to all your accounts.
- Use strong, unique passwords for each account. This can be challenging, but using a password manager can make it easier to generate and store strong passwords.
- Enable multi-factor authentication (MFA) on all accounts. It adds an extra layer of security and makes it much harder for cybercriminals to gain access.
- Be wary of suspicious emails, links, attachments and websites. Do not click on random links and attachments. If an email or website looks suspicious, do not enter your login information. Even MFA tokens can be stolen and used immediately to hijack your account.
- Any MFA is better than no MFA but if available, always use phishing-resistant MFA.
- Keep your software and systems up to date. This includes updating your operating system, web browser, and antivirus software regularly.
- Monitor your accounts regularly for any suspicious activity. If you notice any unusual activity on your account, such as unrecognised logins or transactions, change your password immediately, revoke unknown MFA devices on your account and report it immediately.
- Organisations should ensure that its systems are regularly monitoring for suspicious activity. This includes conducting regular security assessments, implementing strong access controls, and using advanced encryption to protect sensitive data.
Above all, it’s critical to educate employees and users on how to identify, avoid and report these types of attacks.
Key takeaway
Your credentials are valuable, and they can be used for fraudulent purposes if they fall into the wrong hands. Be vigilant and take steps to protect your credentials, you can reduce the risk of falling victim to cybercrime. Remember, prevention is the best defense against credential theft.