Dangerous chain reaction Attention! This is what can happen if you always use the same password
If you use the same password for different services, cyber criminals can trigger a whole chain reaction with a single hit. This is how you prevent worse damage.
Millions of stolen access data from previous data leaks are circulating on the internet, often freely accessible in forums or on the darknet. Cyber criminals use this data specifically for so-called "credential stuffing attacks". But what does the term actually mean?
As the Federal Office for Cybersecurity (BACS) writes, large quantities of known username/password combinations are automatically tried out on various platforms. The effort involved is minimal, as this work is carried out by software or a bot. Anyone who uses the same password for several services risks a chain reaction and runs the risk of several accounts being taken over in this way.
Why the email account is particularly critical
The consequences are particularly far-reaching if the attackers have access to the email account. As most platforms allow password resets via a link to the stored email, all other accounts can also be taken over in this way. With a single hijacked email account, cybercriminals can gradually take over all of a person's linked accounts, from social networks to online stores.
Recommendations
- Use unique passwords: Use a unique, strong password for each online service. A password that you only use once can only be compromised once in an emergency.
- Use a password manager: These tools create and save complex, unique passwords for you. This means you only have to remember a single master password.
- Activate two-factor authentication (2FA): Switch it on wherever possible. Even if your password falls into someone else's hands, the second security factor prevents unauthorized access.
- Check for data leaks: Regularly check whether your email address has appeared in a data leak - for example, via Have I Been Pwned or the Hasso Plattner Institute's Identity Leak Checker.
- React quickly: Change your passwords immediately if you find out that a service you use has been the victim of a data leak.
- Protect your email account particularly well: Your email account is the key to almost all other accounts. So make sure you secure it with a unique, strong password and two-factor authentication.
The tricks of the attackers
Cyber criminals are particularly cunning in their approach so that the person affected doesn't notice for as long as possible. In some cases, they set up a silent forwarding rule in the hijacked email account. This means that incoming messages are automatically forwarded to an address belonging to the criminals without the victim noticing. In other cases, the mailbox is deliberately flooded with a flood of spam emails. As a result, important notifications, such as confirmation emails about password changes or account takeovers with other services, are lost in the masses and remain hidden from the victim. By the time the affected person realizes what has happened, the cybercriminals have already taken over several accounts.
After data leaks, stolen access data is often published or sold in large quantities. Services such as "Have I Been Pwned" make it possible to check your own email address and find out whether it has appeared in a known data leak. Those affected are often unaware that their data has been in circulation for years and that their password has long been in the hands of cyber criminals.
