Here’s Why We Keep Saying “Do NOT reuse Passwords!”
Paul Shaffer looks like that smiling older neighbor who gives good advice about the best time to prune the shrubs and who to call for plumbing emergencies. He is also the city councilor for Ward 7 in Corvallis, Oregon. He recently won reelection on the admirable goals of increasing affordable housing and improving infrastructure. He was even chosen to be Council President in 2024.
Councilman Shaffer has a flaw, though, and it led to the hacking of his official city email account on January 8, 2025. Scammers sent an email from this account to 3,408 addresses, every email address to which Paul had ever sent correspondence AND every email address from which he had received correspondence. Citizens of Corvallis were not the only potential victims. Emails went out to Texas, Illinois, Ohio, and beyond.
Recipients got an official-looking email directing them to click a link to open files. This led to a step asking them to input their username and password. At this point, you should ask yourself if you would fall for this scam because cyber criminals can log that information and sell it to other criminals. Your personal data is exposed, and you are in for the time-consuming process of remediating the exposure and monitoring all your accounts for suspicious activity.
Fortunately, some recipients realized this was a scam and began alerting the city. Corvallis’s IT department got Shaffer’s email back up and running within a few hours. However, scam emails are still out there, and they have the potential to steal data if recipients are not alerted.
What exactly did Councilman Shaffer do wrong?
HE REUSED THE SAME PASSWORDS ACROSS MULTIPLE ACCOUNTS.
Corvallis’s IT director, Michael Livingston, emailed the recipients to explain the hack and advise them to update their passwords and monitor their accounts. He also said that was the only communication the city would send to those affected. Some constituents are asking for greater accountability and follow-up from the city, especially considering that the Corvallis School District was also the target of a phishing attack in February 2024.
Livingston also told local media that Shaffer was not at fault and that bad actors were responsible. “They’re basically preying on the fact that humans are human,” he said.
“It was a huge intrusion in my life and my privacy,” Shaffer said. The situation has made a mess, and he’s had to spend a lot of time on it since January 8. It has almost certainly eroded some of his constituents’ confidence in him and the city.
The truth is that humans will make mistakes, so please learn from Shaffer’s. Make sure that you use strong, unique passwords for all your accounts and devices. You might think you’re saving yourself some time by recycling passwords, but the reality is that you are making it easier for cyber criminals to steal your data and more. Never repeat passwords!
Commonwealth Sentinel will help you face the growing cyber security threats to your organization. We can evaluate your existing IT security and work with your team to protect your data and assets. At Commonwealth Sentinel, we are focused on cyber security so you can focus on other things. Contact us today or sign up for a free consultation.