Are Hackers Spraying Your Credentials?

I track if sites I use have been hacked and I immediately change my password, so I should be safe, says Jenny, the ever vigilant app user.

Does it matter if hackers have your email address and a password?

Yes. Even if you change that password.

We know it feels useless to fight against hackers over our email address and a login or two, but if a hacker sees what type of password you create, then it makes it easier to eventually “get you”.  Most people use the same format for coming up with passwords and hackers know better than anyone what that looks like.  They also know they can get into OTHER websites with your credentials.  And remember, the hackers aren’t sitting around manually typing in all your data, programming makes trying your email address with common passwords and formats very easy.  The more data that can be gathered on YOU, the easier it is to snatch your identity for profit.  If a hacker can get into a work email account, then watch out – your business or your employer can become the target of very specific scams that might cost a great deal of time, money and clients!

So, what’s this spraying stuff about?

Joe, CISO here at Integrity IT tells us this.

A password spray is when an attacker uses the same common passwords with many usernames.  This type of attack against an organization is typically used after a bad actor has successfully acquired a list of valid users from the tenant. The bad actor knows about common passwords that people use, so the attack attempts fewer logins on more users to not lock out the account or be picked up by surveillance. It’s a way to detect users who have weak passwords for a more in-depth target. This is a widely used attack, as it is a cheap attack to run, and harder to detect than brute force approaches, which use many passwords on a single username.

Why is this important?

Email is targeted heavily by hackers.  We can all agree that our contact information lives in many email accounts and I bet most of us have received some crazy spam email from someone we know.  That’s where it all begins…

Let’s say your contact information is in my Office 365 Outlook account.  Yesterday, my account was breached and used to send our hundreds of spam emails to all my contacts.  My Office 365 security stopped it and I changed my password immediately, but my contact list was compromised and it could easily be in the hands of the attacker to be used in his next Password Spray Attack!

Even without evidence of further compromise, this illustrates how diligent we all need to be with our passwords and accounts.

How to Protect Against Email Hacking

  1. Use LONG passwords.   Longer passwords are stronger, so aim for 12 characters instead of 6-8.  Also, use a password management app – learn more here.
  2. NEVER use your work password for ANY OTHER website or application.  Websites are hacked every day and if they get a network login, your business is toast, or you are out of a job!
  3. Turn on 2 Factor Authentication for Office 365.  Find out how by googling it or go to the Microsoft instructions here.
  4. Sign up to receive weekly Cyber Security Tips – knowledge is power!


A great way to find holes in your network configurations is to complete a Security Risk Assessment.  You might think everything is set up perfectly, but most of the time, we find it is not.  Schedule a FREE Security Consultation today.

About the Author

The Author has not yet added any info about himself