Go to your Amazon, Zappos, etc. account now and change the password to something stronger. That’s the takeaway from a cyber security firm’s report that says a whopping 91 percent of all attempts to log into e-commerce websites are from hackers.

Attempts by hackers to log into the sites of airlines, banks, and hotels also account for about half of their traffic.

Specifically, 60 percent of password attempts to airline sites come from hackers, 58 percent to consumer banking, and 44 percent to hotel web sites, according to a report from Shape Security.

What’s worst, these attempts are successful about 3 percent of the time. This costs online retailers $6 billion a year, and banks $1.7 billion. Criminals steal users’ loyalty points from airlines and hotels, costing a total of $700 million each year.

Credential stuffing 101

Hackers aren’t trying user names and passwords at random. Whenever some company’s customer database gets hacked, the logon details are shared throughout the criminal world. These are then tried on other sites. This is called credential stuffing.

“Criminals harvest usernames and passwords from data breaches and test them on every website and mobile app imaginable,” wrote Shape Security.

This is why it’s definitely not a good idea to use the same password on multiple sites. Apple makes it easy to come up with and store strong password that are then protected by Face ID or Touch ID. (The company recently made fun of the difficulties in remembering passwords on your own.)

Speaking of humor, Shape Security pointed out an item commonly stolen from online retailers with hacked passwords is cheese. While that sounds incredible, Amazon lists a wheel of Parmigiano Reggiano, Bonati Riserva at $2,842.93.