Koodo locked some users’ accounts in response to ‘credential stuffing’ campaign

Koodo says that no accounts were accessed

Several Koodo customers received concerning emails from the carrier on Tuesday about locking down their accounts after Koodo detected suspicious attempts to log in.

“We have learned that there have been recent attempts to login to your account using valid credentials (your username and password) that originated from a suspicious source,” the email reads. “Our investigation has revealed that your credentials were not shared by Koodo with any unauthorized user.”

Koodo also explains in the email that it locked users accounts to protect them from the login attempts. The emails direct customers to reset their passwords.

Unfortunately, the email didn’t provide much explanation about what actually happened. Some users took to Twitter to ask if Koodo had been hacked. My fiancé also received one of the emails — when she called into Koodo to reset her password, a rep told her it was a “glitch” with the Self Serve system and there was nothing to worry about. However, that’s not the case.

Koodo says it locked down accounts after detecting a ‘credential stuffing’ attack

Koodo confirmed to MobileSyrup that there was an attack, but it was a “credential stuffing” attack. Credential stuffing involves using stolen usernames and passwords from other websites and re-using them on other sites to gain access. These attacks work if people use the same password multiple times, which many people do.

Koodo’s full statement is below:

“We recently detected unusual behaviour on our website that we determined to be a “credential stuffing” campaign, which is when cybercriminals use stolen usernames and passwords from one website to attempt to gain access to other websites. We immediately blocked these attempts and implemented protocols to protect against further aggression. As an additional security precaution, we also locked all accounts targeted by the cybercriminals. We are pleased to say that no accounts were accessed, and we have notified the small number of affected customers to inform them of the incident and recommend that they reset their Koodo passwords as well as passwords on other accounts that share the same username and password. As a reminder, never use the same password twice, as using unique passwords every time will help prevent targeted attacks like this one.”

If you received an email from Koodo, make sure you follow through and change your password. Also, ensure it’s a legitimate email from Koodo — if you’re not certain, or if the email looks suspicious, call into the carrier directly to change the password and don’t click any links in the email. Further, change your password for any other online account that uses the same or a similar password.

Several readers have reached out to MobileSyrup with concerns about the credential stuffing statement, noting that they used unique passwords that weren’t vulnerable to such an attack. One reader said they received scam phishing emails and suggested that could be the source of the problem. A Reddit thread has also popped up with several reports from users with password managers who had Koodo accounts locked over the alleged credential stuffing campaign.

Using a password manager can help protect against credential stuffing

Considering how many online services most people use, managing unique passwords for every single one can be incredibly difficult. Thankfully, there are a few strategies you can employ to make things easier and also let you use longer, more secure passwords.

One option is to use third-party sign-in services, such as ‘Sign in with Google‘ or ‘Sign in with Apple.’ These services tie your online authentication to one account, which can reduce the number of passwords you need to remember. There are downsides, however. Tying all your online authentication to one account means you’ll lose access to everything if you can no longer access that account. Plus, not every site supports third-party sign-in options, and some websites can leverage that to share data with third-parties, which isn’t great from a privacy standpoint.

The other, much better option, is to use a password manager. In a pinch, using the one built into your browser could work, but in most cases, you’re better off using a third-party option, especially if it has compatibility across platforms. Options like Bitwarden (my password manager of choice), LastPass, Dashlane and 1Password are all great. Most password managers offer a free tier and lock some features behind a paywall, with LastPass and Bitwarden offering the most for free.

Password managers securely encrypt and store your passwords and allow you to generate random, unique passwords for each site. Unique passwords prevent attackers from gaining access to multiple accounts by compromising the password for one account, since each one uses a different password. Plus, randomized passwords can be much harder to guess.

You can learn more about password managers here.

Update 11/05/2020 at 12:57pm: Updated the story with more information sent in by readers questioning Koodo’s statement about credential stuffing.