With so much of life lived online, it can be hard to remember passwords for every app and platform you’re on, but re-using them is putting people at an ever-increasing risk of being hacked.
The recent data breach of food and restaurant search engine Zomato saw hackers steal 17 million users’ data.
The company had to strike a deal with the hacker, who agreed to destroy all data and not sell it to someone over the dark web.
Cyber security researcher Troy Hunt said while the risk was mitigated by the company, it should be a wake-up call to users.
“If I’ve used that same password on Zomato and many other places, I would be quite concerned, because now someone literally has the key to get into my other services,” he told 7.30.
He said the real risk is “credential stuffing”: where hackers take credentials like emails and passwords from one system, and test them on a bunch of others.
“Last year we saw the LinkedIn data breach, about 158 million records were in there, they were selling that for thousands of dollars,” Mr Hunt said.
“And people would buy that because then they can get the usernames and passwords and use them to break into other systems where people have re-used their credentials.
“So that might let them get into your eBay account for example, and buy things under your identity, which they can then go and sell at other places.”
As they’ve become cheaper to make, the number of apps and websites has exploded.
But according to Chris Culnane from Melbourne University, security is often neglected.
“We’re in an innovation-driven industry and you’ve got to be constantly innovating and constantly doing something new and security takes a long time and costs a lot of money,” Professor Culnane said.
“Often the priority is getting a new app out there with a new feature and security comes as an after-thought.”
What should you do if you’ve been hacked?
Mr Hunt, who runs a website that allows people to check whether accounts linked to their email addresses have been hacked, said there were a number of things people could do if their security information had been compromised.
“It really depends on what’s happened,” he said.
“My wife had her credit card exposed somewhere a couple of days ago, so obviously you cancel your credit card, change your direct debits.
“If it’s been your password from a system, change your password, and take that opportunity to create different passwords everywhere, unique passwords everywhere.
“If it’s been things like your personal address, and your gender and your birthdate or things that might be used for identity theft, have a look at identity protection services.”
Professor Culnane agreed that passwords were key.
“The first priority is to change the passwords, to make sure that somebody can’t use that information against that particular account,” he said.
“Going forward, they should make sure that they’re not using the same password on multiple accounts and they should try to use things like two fact authentication or any additional security measures that service providers give them.”
What else can I do to stay safe online?
One measure available to consumers is password managers, which keep track of the many unique codes people would otherwise have to remember.
Mr Hunt admitted some had been subject to vulnerabilities in recent years but said they were still worth considering.
“Probably the worst we’ve seen in recent years is very strongly protected passwords being exposed for a small number of people for small amount of time,” he said.
“And if you practised good password hygiene with that service — so you signed up to the password manager and you had a good, strong, unique master password — the chances of anything going wrong are actually very small.
“It’s a risk trade-off, but as it stands you are much better off using a password manager and using it properly than trying to do it all in your head.”
Professor Culnane believes people need to simply be less complacent about giving up their details online.
“It’s become almost normal just to hand out your contact detail to any website or app and we’re not really being made aware of exactly how that data’s being used or how it’s being stored,” he said.
“[Consumers should] ask, does the app or company really need to know this information? If not, ask why they’re collecting it.
“If you’re not paying for the product, you probably are the product.
“Your data is becoming their revenue stream, so ask, ‘should they be collecting it? Are you getting something in return for it?'”