How to Limit Your Vulnerability to Credential Stuffing Attacks
It seems that a new data breach is announced almost daily. The stories are generally very similar—unidentified hackers have compromised another website, stealing the personal information of the individuals who have registered or done business with the site. The stolen information almost always includes user log-in credentials that typically consist of email address and password combinations, and sometimes financial, intimate and other private information, too.
The stolen information can be used for blackmail purposes, financial or identity theft, or account takeover, among other malicious purposes. The stolen data is most often “weaponized” in an exploit called a “credential stuffing attack,” or sometimes a “credential re-use attack” or a “password spraying attack”.
Whatever the name, the execution and purpose are the same. The hacker employs an automated computer process that uses stolen log-in credentials from compromised sites to try to gain access to the victims’ other sites, too, particularly banking, shopping or streaming sites, but also lots of others. The attacks are often implemented using an army of compromised computers, called a bot network (with “bot” short for “robot”). Bundles of stolen credentials are also often posted for sale on the Dark Web, so that more bad actors can try their hand at fraud.
Of course, credential stuffing attacks only work if a victim has used the same email address and password combination at multiple sites. Consequently, there are two simple ways to reduce your vulnerability to these attacks, even when your credentials have been stolen.
First, never use the same password twice. Unfortunately, studies find that as many as 50% to 80% of Internet users routinely reuse the same password, or a small handful of favorite passwords. As a result, many, many people are at risk of these attacks.
Second, always use a different email address for every web site registration or other purpose, whether online or offline. This is where ManyMe comes in.
By making it super-simple to use substitute email addresses, called aliases and also known as ManyMe FlyBy addresses, ManyMe makes it easy to disclose a different email address at every site and for every purpose. When FlyBys are used routinely, each alias can be used to unlock only one account—the one from which it was stolen, even if the same password has been reused (but please don’t)! What’s more, it is simple to disable the address for the compromised site and create a new one, which protects the compromised site from other malicious actors who might purchase your stolen credentials in the future.
Of course, the greatest protection would combine both approaches—never reuse a password or an alias!
One characteristic of ManyMe is that the more routinely you use it, the greater its advantages. You can see this with respect to credential stuffing attacks, but it is also the case for detecting phishing attacks and fraudulent messages in general. It also applies to the privacy of your personal email address and control over your email inbox. The more you use aliases, the greater your protection.
Start now to protect yourself by creating your “ManyMe’s”—as many as you need!