So how is this possible?
Passwords are passed over the internet as a 'hash'. This obfuscates the password so it cannot be read but this isn't, strictly speaking, encryption.
Since the username for most internet sites is your eMail address, the attacker knows that your user account for, say, eBay is the same as the one you set up for freindlytimbersupplies.co.uk which is a local firm just down the road. However, the security on the local site is not good - the attacker collects email addresses and hashes from the site.
The attacker can then do a 'pass the hash' attack. He doesn't need to know your password because he has the 'hash' value of it which is what is used to log you on. The attacker fires these at eBay (or Amazon) to see if it lets him in. If it does, then, he's got your account. eBay doesn't tell you that you've just logged in (some other systems do just that). So the attacker can harvest 'good' eBay accounts which he can then use in the attack.
The other way that the 'hash' can be used is to look it up in what are called 'rainbow tables'. There are tables of cracked passwords together with their hash. Bingo, the attacker has your user name and password and will try that on all the 'eCommerce' sites to find the ones it works on.
So.
- Do not use the same password for all the internet sites you log on to
- At the minimum, use the 'remember password' facility in your web browser to remember passwords for you. But better, find a password manager - search 'password manager free', install it and use it. These will provide extra tools to help like telling you where you have used the same password, generating complex passwords, which passwords you have are weak, which websites have been compromised and such like
- If you have to manually set a password, don't use a password which is based on a word, even if you use letter substitutions - password, password01, p@ssw0rd, p@$$word1 are the sorts of things the attacker will try first - after checking that the username and the password are not the same. Either use a random combination of upper and lower case letters, numbers and symbols or - if it is one you have to remember, user a phrase you will remember - juke joints jive with me is less easily cracked than $jI9sklu