The first you know about it is when you find out someone has accessed one of your accounts. You’ve been careful with your details so you can’t work out what has gone wrong, but you have made one mistake – recycling part of your password.
Reusing the same word in a password – even if it is altered to include numbers or symbols – gives criminals a way in to your accounts.
Brandyn Murtagh, an ethical “white hat” hacker, says information obtained through data breaches on sites such as DropBox and Tumblr and through cyber-attacks has been circulating on the internet for some time.
Hackers obtain passwords and test them out on other websites – a practice known as credential stuffing – to see whether they can break into accounts.
But in some cases they do not just try the exact passwords from the hacked data: as well as credential stuffing, the fraudsters also attempt to access accounts with derivations of the hacked password.
Research from Virgin Media O2 suggests four out of every five people use the same or nearly identical passwords on online accounts.
Using a slightly altered passwords – such as Guardian1 instead of Guardian – is almost an open door for hackers to compromise online accounts, Murtagh says.
Working with Virgin Media O2, he has shown volunteers how easy it is to trace their password when they supply their email address, often getting a result within minutes.
A spokesperson for Virgin Media O2 says: “Human behaviour is quite easy to model. [Criminals] know, for example, you might use one password and then add a full stop or an exclamation mark to the end.”
What the scam looks like
The criminals use scripts – automated sets of instructions for the computer – to go through variations of the passwords in an attempt to access other accounts. This can happen on an industrial scale, says Murtagh.
“It’s very rare that you are targeted as an individual – you are [usually] in a group of thousands of people that are getting targeted. These processes scale just like they would in business,” he says.
You might be alerted by messages saying that you have been trying to change your email address or other details connected to an account.
What to do
Change any passwords that are variations on the same word – Murtagh advises starting with the most important four sets of accounts: banks, email, work accounts and mobile.
Use password managers – these are often integrated into web browsers. Apple has iCloud Keychain while Androids have Google Password Manager, both of which can suggest and save complicated passwords.
Put in place two-factor authentication or multi-factor authentication (2FA or MFA), which mean means you have two steps to log into a site.
