Article Read Time
Here’s Why We Keep Saying “Do NOT reuse Passwords!”
Paul Shaffer resembles the smiling older neighbor who offers sound advice on the best time to prune shrubs and who to call for plumbing emergencies. He is also the city councilor for Ward 7 in Corvallis, Oregon. He recently won reelection on the admirable goals of increasing affordable housing and improving infrastructure. He was even chosen to be Council President in 2024.
Councilman Shaffer has a flaw, however, which led to the hacking of his official city email account on January 8, 2025. Scammers sent an email from this account to 3,408 addresses: every email address to which Paul had ever sent correspondence, AND every email address from which he had received correspondence. Citizens of Corvallis were not the only potential victims. Emails went out to Texas, Illinois, Ohio, and beyond.
Recipients received an official-looking email directing them to click a link to access the files. This led to a step asking them to input their username and password. At this point, you should ask yourself if you would fall for this scam because cyber criminals can log that information and sell it to other criminals. Your personal data has been exposed, and you are in for a time-consuming process of remediating the exposure and monitoring all your accounts for suspicious activity.
Fortunately, some recipients realized this was a scam and began alerting the city. Corvallis’s IT department got Shaffer’s email back up and running within a few hours. However, scam emails are still out there, and they have the potential to steal data if recipients are not alerted.
What exactly did Councilman Shaffer do wrong?
HE REUSED THE SAME PASSWORDS ACROSS MULTIPLE ACCOUNTS.
Corvallis’s IT director, Michael Livingston, emailed the recipients to explain the hack and advise them to update their passwords and monitor their accounts. He also said that was the only communication the city would send to those affected. Some constituents are requesting greater accountability and follow-up from the city, particularly given that the Corvallis School District was also targeted by a phishing attack in February 2024.
Livingston also told local media that Shaffer was not at fault and that bad actors were responsible. “They’re basically preying on the fact that humans are human,” he said.
“It was a huge intrusion in my life and my privacy,” Shaffer said. The situation has created a mess, and he has had to spend a lot of time on it since January 8. It has almost certainly eroded some of his constituents’ confidence in him and the city.
The truth is that humans will make mistakes, so please learn from Shaffer’s. Make sure that you use strong, unique passwords for all your accounts and devices. You might think you’re saving yourself some time by recycling passwords, but the reality is that you are making it easier for cyber criminals to steal your data and more. Never repeat passwords!
Commonwealth Sentinel will help you face the growing cyber security threats to your organization. We can assess your existing IT security and collaborate with your team to safeguard your data and assets. At Commonwealth Sentinel, we are focused on cyber security so you can focus on other things. Contact us today or sign up for a free consultation.
At Commonwealth Sentinel, we are focused on cyber security so that you can focus on other things.