*** Important Fraud Reminders: ***
- Please periodically check your contact information to make sure it is up to date. To do this, select 'Update Personal Information' located under 'Settings'.
- NEVER give anyone your Secure Access Code. Topside employees will never ask for this. 

Reset Password / First Time User

NCUA logo

Accessibility

Apply for a loan

Main Content

Avoid the damage of stolen data

 

Avoid the damage of stolen data

Credential stuffing is a cyberattack in which stolen user credentials – usually usernames (which could be email addresses) and corresponding passwords – are used with brute force to make automated login requests. The stolen user credentials are typically from data breaches that could have happened recently, but also may have occurred long ago. These types of attacks are particularly effective when the same username and password combination is used across multiple websites or services.

Stolen data processes

To avoid becoming a victim of credential stuffing and other password-related attacks, it is recommended that you use a strong and unique password on your email account, as well as for every account you use online. It also limits the number of passwords you must change if one of your accounts is involved in a data breach. Strong passwords, such as those using a combination of upper- and lower-case letters, numbers, and special characters and that are not easy to guess help to defend against password guessing and brute force attacks like this.


Because we are all pretty tired of having to remember so many passwords, you may need some guidance on remembering them all. You could write down clues for the sites to jog your memory. You could also use a password creation strategy that is consistent. For example, we suggest using the website name to create a password. You start with a base password of at least ten characters and add characters from the website to it. Your base could be “XU527mh19p”, and you might have an account at Google. Your password could be “XU527mh19pGo,” using the first two letters of the site. This will prevent them from being duplicated, for the most part.


Another option to help you is to use a password manager. There are many options, from apps to websites. Just remember that if your master password for one of those sites gets stolen, or if the password manager company is breached, you will need to change ALL of your passwords.
Finally, turning on two-factor authentication (2FA), also known as two-step verification (2SV), or multi-factor authentication (MFA) adds an extra layer of protection that may stop a credential stuffing attack in its tracks. If this is offered for an account, no matter how unimportant you think the website may be, activate this feature.


The Attorney General’s Office of New York State created a Business Guide for Credential Stuffing Attacks. In it, there was reference to a study by Digital Shadows that there are 15 billion stolen credentials making their way around the Internet. It also noted a Ponemon Institute finding that businesses lose an average of $6 million per year to credential stuffing attacks.