The 10 worst password snafus of 2021

Using strong and secure passwords is sound advice not just for your own personal accounts but for any accounts or services you use on the job. In fact, a weak password can create far more trouble for an organization that holds user data and other sensitive information. To show just how much trouble it can create, password manager Dashlane has unveiled a list of the worst password-related security incidents for 2021.

SEE: Password Management Policy (TechRepublic)

For its 2021’s Worst Password Offenders list, Dashlane looked at the year’s 10 worst security mishaps that involved hacked or stolen passwords. These fiascos show that advice about creating a strong password is still being ignored by too many individuals and too many organizations.

1. SolarWinds. In February 2021, foreign hackers were able to access internal emails at government agencies and organizations around the world by exploiting a vulnerability in network monitoring software from SolarWinds. Though there was enough blame to go around, executives at the company pointed the finger at an intern for creating a weak password of “solarwinds123,” which then leaked online. As U.S. Rep. Katie Porter (D-California) said during a hearing: “I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad.”
2. COMB. An acronym for “Compilation of Many Breaches,” this pointed to an online hacking forum that published more than 3 billion different passwords compiled from past breaches at Netflix, LinkedIn, Bitcoin and many other companies. In total, the leak revealed the data of almost 70% of all internet users throughout the world and served as a reminder to not reuse your passwords.
3. Verkada. In this incident, a group of hackers used an admin password leaked online to access more than 5,000 Verkada cameras, giving them a view of Tesla factories and warehouses, Equinox gyms, hospitals, jails and even schools.
4. RockYou2021. Dubbed by Dashlane as the “Queen of all password leaks,” the infamous RockYou2021 debacle centered on a 100GB text file with 8.4 billion passwords posted on a user forum. Collected from past data breaches, many of the passwords were likely for accounts no longer active but still comprised a huge leak of sensitive data.
5. Facebook. In April 2021, a hacker leaked the phone numbers and other personal data of 533 million Facebook users. The social media giant blamed the incident on a vulnerability that the company fixed in 2019. But the leaked data could still prove useful to cybercriminals looking to scam people.
6. Ticketmaster. In this breach, employees at Ticketmaster hacked into the computer systems of a competitor to retrieve stolen passwords. Pleading guilty to the crime, the company was forced to pony up a $10 million fine.
7. GoDaddy. In November of this year, hosting company GoDaddy revealed a security breach that hit the accounts of more than 1 million of its WordPress customers. Investigating the incident, the company discovered that the hacker used a compromised password to access a system in its legacy code for Managed WordPress.
8. ActMobile Networks. More than 300 million personal records of VPN users were leaked online, many of them revealing email addresses and encrypted passwords, according to Comparitech. Following the trail of breadcrumbs, Comparitech fingered ActMobile Networks as the owner, though the company denied the charge, claiming that it doesn’t maintain any databases.
9. DailyQuiz.me. Hackers broke into a DailyQuiz.me database of almost 13 million accounts, snagging plaintext passwords, email addresses, and IP addresses for 8.3 million people. Placed for sale on the Dark Web, the stolen data eventually found its way onto the public domain.
10. New York City Law Department. Using just one employee’s stolen email account password, a hacker was able to access sensitive records for this 1,000-lawyer agency. The department houses such information as evidence of police misconduct, the identities of young children charged with crimes, medical records for plaintiffs and personal data for city employees.

Recommendations

How can you make sure your employees follow strong password security guidelines to protect your organization’s sensitive data? Dashlane offers the following tips:

• Establish a culture of security. Employees need to understand what part they play in securing your company’s data. They must be involved in discussions about security. And they should have the tools required to follow strong password and security hygiene.
• Train employees. Show employees how to spot and report possible security risks and threats. You may want to create a special email or contact they can use to report an incident.
• Implement the right technology. This means using such tools as email security, endpoint protection and password managers.
• Track the results of your security tools. Find ways to measure the effectiveness of your security defenses. For example, some password managers have a health feature that analyzes and rates the strength of your passwords.