‘Credential stuffing’ scam gives crooks vital online info, Mississauga and Brampton residents warned

Police in Peel and federal government officials are warning Mississauga and Brampton residents about yet another scam that seeks to steal banking and other information online.

The fraud is known as “credential stuffing” and it can target anyone at anytime, authorities say.

“Cyber criminals may use the same stolen account information on multiple websites to hack into other accounts. This is called credential stuffing, and you can prevent it by using strong, unique passwords,” officials with Public Safety Canada said in a post to social media that was shared today by Peel Regional Police.

The post to X (formerly Twitter) also contained a link to Public Safety Canada, where more detailed information on the scam, and other frauds, can be found.

“Credential stuffing is a common scam used by cyber criminals to easily gain access to multiple accounts belonging to a single user,” PSC officials say in an online description of the scam. “It’s important to protect your accounts and know the steps to take if you become a victim of a credential stuffing attack.

“It is important to use unique passwords and passphrases for each of your accounts to protect your accounts from cyber attacks like credential stuffing.”

Officials add that by stealing a person’s credentials used on multiple websites, scammers can then:

• access other accounts using the same credentials
• change passwords on all accounts — even those they do not have immediate access to
• use the “forget password” feature on email accounts to gain access
• steal personal information like the answers to your security questions to gain access to more restricted accounts
• make purchases using saved financial information

“While reusing the same passwords on different accounts might seem tempting, it can leave you vulnerable to this kind of attack,” Public Safety Canada officials warn. “But there are simple preventative measures you can take to keep your accounts safe while still easily remembering your unique credentials.”

They say to consider the following preventative cyber security measures to protect your accounts from credential stuffing attacks:

• use strong and unique passwords for each account
• use passphrases instead of passwords
• use a password manager to organize and remember passwords for each account
• enable multi-factor authentication where possible
• don’t save financial or sensitive information to accounts
• don’t use the “remember me” or auto-fill features for websites to save your information
• don’t share personal information on social media that could compromise your account security questions (like the name of the street you grew up on)

The warning from police and PSC comes as Canadian Fraud Prevention Month just concluded. It’s an annual campaign that seeks to help people recognize, reject and report fraud.

Police encourage people to visit the Canadian Anti-Fraud Centre or Peel Regional Police websites for more information and tips on how to avoid being victimized.