Nonprofits need to worry about more than just phishing attacks. One of the most common ways organizations can be compromised is a sneaky attack called "Password Stuffing." In this scenario attackers buy or download lists of usernames and passwords stolen from various insecure websites. This ranges from the millions of usernames and passwords stolen from Yahoo.com a few years ago to a few hundred stolen from the local car dealership website.
Because staff often use the same username and password for multiple sites these credentials are very valuable. Attackers start using the usernames and passwords to try and gain access to more sensitive systems like email and banking systems. It's a very effective attack that is very inexpensive.
Security researchers are doing great work helping the world understand their risk in this area. A new website allows you to type in a password (no username required) and find out if that password has been involved in a known hack. If your password is in there you might want to think about changing it!
There's lots more you can do to be safe!
- Use a password manager to help you remember unique passwords for every website
- Implement multi-factor authentication so that a username and password isn't enough
- Use especially strong passwords on sensitive accounts