A growing number of companies are disclosing data breaches that involve large amounts of stolen user credentials data such as emails and passwords. The companies involved are quick to reassure customers that the stolen data does not include account or financial details and that passwords are obscured. However, consumers who use weak passwords and reuse the same ones across multiple websites are more vulnerable to hacker attacks and could end up the victim of identity theft.  With two out of every three data breaches involving some use of stolen or misused user credentials the risks really shouldn’t be ignored.

How safe is your data?

Whilst it’s true that most passwords on websites are typically obscured this does not mean they are impenetrable.  Most passwords are obscured using a method called Hashing or Salting; Hashing converts passwords into a fixed number of random characters while Salting adds a secret value to the end. Whilst both methods make it difficult for hackers to decipher the password, given enough time it may be possible, especially if the password uses a simple format and structure.

User names, emails, and passwords also provide hackers with the data they need to carry out credentials stuffing attacks where data is integrated into software that automatically attempts email/password combinations and hacks into different websites. Where people use the same usernames and passwords across multiple sites it becomes easy for the software to crack the combination. Hackers can then steal additional personal information including financial details or change a user’s login and take control of their account.

Several UK businesses have recently become victims of credentials stuffing attacks including Camelot, where data from previous breaches was used to access UK National Lottery accounts and online takeaway firm Deliveroo, where the attack resulted in customers being charged for food they didn’t order.

How your data can be used to commit identity theft

Once an account has been hacked stolen personal data is often sold on the Dark Web. Both personally identifiable information, the most stolen data type, and financial data can be purchased by criminals and used to commit identity theft, the fastest growing crime in the UK. According to Fraudscape’s 2016 report, Identity theft accounts for 53% of all frauds in the UK and 86% are committed online. This type of fraud uses real consumer data rather than fictitious names and addresses and is therefore very difficult to detect. Criminals also hack and sell on deceased individual’s data which is particularly valuable as identity theft committed using a deceased person’s information usually goes undetected for longer. Organizations can help combat deceased identity theft by using a detection service such as The Ark’s National Deceased Register Monitor which blocks fraudulent applications and helps prevent these crimes.

What can consumers do to help protect their personal data?

  • Always use strong/complex passwords with symbols, numbers, and capitals
  • Never share passwords across multiple websites
  • Change passwords regularly; anyone using a password that is several years old should change it as soon as possible
  • Use a password manager

Remembering a strong password is difficult, and doing this for every website just about impossible, so we advise using one of the many password management tools available. The tool should be installed and all passwords changed so that every single one is different, long, and hard to crack. They provide a simple and safe way to keep track of multiple passwords and help consumers avoid becoming an easy target for hackers.

Whilst it’s true that stolen credentials are lower risk than financial information, they can result in serious consequences, especially for consumers who reuse their passwords.

For more information on the prevention of identity theft visit the cifas website https://www.cifas.org.uk/identity_fraud

View the CIFAS Fraudscape report here https://www.cifas.org.uk/secure/contentPORT/uploads/documents/160706_cifas_fraudscape_ONLINE.pdf