“Almost time for lunch” Cameron thought, as she clicked through her email. “Document review…document review…deposition…” She liked being a paralegal, but wished her firm would hire some more people to help with the workload.
She paused for a moment to look at an email from Tailwind Toys that had arrived the day before. Apparently, they’d had some kind of security breach but they don’t think the attackers got any payment information. “Great,” she thought with a chuckle “Now they know what my son's favorite toys are.”
A little while later she met her friend Akihito for lunch. Pulling out his chair Akihito casually dropped his keychain on the table.
“Hey!” Cameron exclaimed, “Where did you get that awesome puzzle cube on your keychain?!”
“It is pretty fun,” Akihito replied. “It was $5 at Tailwind Toys.”
“Ooh” Cameron said, suddenly remembering the email she’d seen earlier. “Did you hear they got hacked and lost a bunch of customer info?”
“Really? Wow.”
“Yeah, I’m sure they’re excited to know that Ethan likes blue blocks.” Cameron replied, laughing.
“Is that all they got?”
“Oh, the usual ‘Customer names, email addresses, passwords’ stuff too. But apparently no credit cards.” Cameron replied.
“Hmmm..but emails and passwords?” Akihito looked concerned.
“Yeah, they got my really awesome password. They’re probably all using it for themselves now! It’s 23 characters long and looks like it was written in Klingon. I use that thing everywhere.”
“Everywhere? Is your email address and that password the login for your bank or your social media?”
“Well…yeah…” Cameron replied, “But those are different sites.”
“Doesn’t matter.” Akihito said. “There’s a kind of attack called ‘Credential stuffing’. When the crooks get usernames and passwords at one site, they go around to all the other sites and try those username and password combos to see how many of them work. If you’re using the same password everywhere, and they know it goes with your email address, they can get into your accounts on any system that uses the same username and password.”
Now Cameron was worried. “I think my email address is my username in a lot of places, including at work. What should I do?”
“Do you have two-step verification turned on for those sites?” Akihito asked.
“It seems like such a hassle, so I didn’t turn it on.” She admitted.
“Oh. Well, then I wouldn’t waste any time and I'd start changing those passwords, starting with your work password. Use unique passwords for everything, and you really should turn on two-step verification everywhere you can. It doesn’t really bug you for the second step very often and it’s worth it to stop crooks from breaking into your bank account or your work.”
“Ugh, I just hate having to remember all those passwords. I just know I’ll be constantly clicking ‘forgot password’.” She was feeling a little overwhelmed at the task ahead.
“Get a password manager. They can remember your passwords for you, and even suggest new strong passwords.” Akihito suggested. “I use the Microsoft Edge browser for that. It makes my life so much easier, and even syncs to all of my devices.” He said, holding up his smartphone.
“OK, I guess I could do that.” She said.
“You should go do it now, I’ll get lunch.” He said, reaching for his wallet. “Miss…can she have her order to-go?”
“Thanks bud, I’ll get the next one.” She said, heading towards the counter to collect her food.
Summary
Reusing passwords is extremely dangerous. Criminals may have a hard time breaking into your bank’s systems, but it just takes one site with weak security to get broken into and they could get your username and password. Within hours they could try that username and password combination at hundreds, or thousands, of sites across the web. Chances are they'll stumble across at least a couple of other sites where that username and password works.
If you don’t have additional protection, like two-step verification (sometimes known as multi-factor authentication) enabled, they could be in your accounts before you even know the first site was breached.
That's what a credential stuffing attack is.
What could Cameron have done better?
The big thing is not reusing her password, no matter how great a password it was.
She could also have turned on two-step verification wherever it was available. That way even if the bad guys did get her password it would be much harder for them to get into her accounts.
What did Cameron do right?
Once she realized the potential danger she immediately went and changed her passwords, enabled password management in Microsoft Edge, and starting using two-step verification.
To learn more visit https://support.microsoft.com/security.
If you enjoyed this...
If you like learning about cybersecurity in short stories like this, you might also want to check out A phish story. It's the story of an account executive who has a harrowing encounter with a phishing attack at work.