The first thing you know is that someone has accessed one of your accounts. You’re careful with your information so you can’t figure out what went wrong, but you made one mistake – reworking part of your password.
Reusing the same word in a password – even if it is changed to include numbers or symbols – gives criminals access to your accounts.
Brandyn Murtagh, an ethical “white hat” hacker, says that information obtained through data breaches on sites like Dropbox and Tumblr and through cyberattacks has been circulating on the internet for some time.
Hackers obtain passwords and test them on other websites — a practice known as credential stuffing — to see if they can break into accounts.
But in some cases, they don’t just try exact passwords from the hacked data: as well as credentials, fraudsters also try to access accounts with derivatives of the hacked password.
Research by Virgin Media O2 shows that four out of every five people use the same or nearly identical passwords for their online accounts.
Using slightly altered passwords — such as Guardian1 instead of Guardian — is almost an open door for hackers to compromise online accounts, says Murtagh.
Working with Virgin Media O2, he has shown volunteers how easy it is to track down their password if they supply their email address, often getting results within minutes.
A Virgin Media O2 spokesperson says: “It’s quite easy to model human behaviour. [Criminals] You know, for example, you could use one password and then add a full stop or an exclamation point to the end.”
What does a scam look like?
Criminals use scripts — automated sets of computer instructions — to go through variations of passwords in an attempt to access other accounts. This can happen on an industrial scale, Murtagh says.
“It’s very rare that you’re targeted as an individual — you’re [usually] in a group of thousands of people who are being targeted. These processes scale just like in business,” he says.
You might be alerted with messages saying you’ve tried to change your email address or other information associated with your account.
What to do
Change all passwords that are variations of the same word—Murtagh recommends starting with the four most important account sets: banks, email, work accounts, and mobile devices.
Use password managers – they are often integrated into web browsers. Apple has iCloud Keychain, while Android has Google’s Password Manager, both of which can suggest and save strong passwords.
Implement two-factor authentication or multi-factor authentication (2FA or MFA), which means you have two steps to log in to a website.
