the initial clue is when you discover that someone has accessed one of your accounts. You’re focused on your details and cannot pinpoint the issue, but you made one mistake: reusing some passwords.

Even if a password is altered to include numbers and symbols, reusing the same base word can still provide an opening for criminals to gain access to your account.

Ethical “white hat” hacker Brandin Murtagh explains that information leaked through data breaches from sites like Dropbox and Tumblr, as well as cyberattacks, has been circulating on the internet for quite a while.

Hackers often obtain passwords and check if they work on other sites, a practice known as credential stuffing.

In some instances, hackers not only attempt the exact passwords from the compromised data but also try variants of those passwords to access accounts.

A Virgin Media O2 study found that four out of five people use the same or nearly identical passwords across their online accounts.

Using slightly modified passwords, such as Guardian1 instead of Guardian, creates an inviting opportunity for hackers to breach online accounts, warns Murtagh.

Collaborating with Virgin Media O2, he demonstrates to volunteers how effortlessly passwords can be traced with just an email address, often yielding results in mere minutes.

A spokesperson from Virgin Media O2 stated: “Human behavior is quite predictable. Criminals can utilize one password and then simply add a period or exclamation point at the end.”

What does fraud look like?

Criminals utilize a series of automated processes—scripts on computers that execute password variations to attempt access to additional accounts. This can occur on an industrial scale, according to Murtagh.

“It’s uncommon to be targeted as an individual; you’re typically caught in groups of thousands being targeted. These operations scale like a business,” he explains.

You may receive a warning message indicating a change to your email address or other account details.

What to do

Change the password to something distinct from the previous variants. Murtagh suggests focusing on the four most important accounts: banking, email, work-related, and mobile.

Utilize a password manager, often integrated into web browsers. For instance, Apple provides an iCloud Keychain, while Android offers Google Password Manager, both of which can generate and store complex passwords securely.

Implement two-factor authentication or multifactor authentication (2FA or MFA), which adds an additional layer of security by requiring two steps to log into the site.