The Risks of Reusing Passwords on Multiple Sites

Risks of Reusing Passwords

In a world where uncertainties surround our everyday activities, it’s essential to be cautious of our every move. The internet, like most offline activities, is packed with different kinds of criminals. If not careful, most of your online activities could expose you to losses, some of which could directly impact your reputation.

While most online securities seem to focus on monetary losses, significant conversations are now shifting to why it’s happening – reusing passwords.

It is human nature to look for easier ways around every task. For example, most prefer to use similar passwords for several sites when operating numerous sites because it’s easier to remember.

It’s just the tip of the iceberg.  Loss and damage done by data breaches that happened due to password misuse are more than one’s imagination. We have collected the password reuse statistics and summed up the top 30 breaches that took place until 2021.

S. No.

Company

Data Breach

Year

Damage Happened and Affected Users

1

CAM4

The adult video streaming website had to face the bolt of data breach and compromise the information safety when the password of its cloud storage was hacked.

2020

10.88 billion Records.

2

Yahoo

This is one of the longest-running data breaches. More than 1 billion Yahoo users have to face personal information leaks. By the end of 2017, the total number of affected users touched the mark of 3 billion.  Due to the breach, Yahoo requested end-users to change their passwords.

2013

3 billion records

3

Aadhaar

Aadhaar, India’s citizen data record, has to face the wrath of a data breach in 2018 when a state-owned data system suffered from a data leak.  Due to the data leak, hackers were able to gain access to the citizen’s personal information like name, biometrics, and bank details.

2018

1.1 billion

4

First American Financial Corporation

It was one of the biggest finance data breaches in history because crucial details like wire transaction details, social security numbers, and mortgage details were leaked.

2019

885 million users

5

Verifications. Io

Poor password handling can cause chaos in more than one’s imagination. Verifications.Io is its live example. This email verification service exposed details of the huge database and made it accessible to everyone. The database was left unmonitored and without any password.  The information leaked involved phone numbers, IP addresses, DoB, and users’ gender.

2019

763 million

6

LinkedIn

Data breaches are so common that big guns like LinkedIn are not safe from their bolt.  LinkedIn, despite adopting best practices, fell into the hacker trap and exposed personal information of its 92% users.  The hacker dumped the stolen data on the dark web in two waves.

2021

700 million users

7

Facebook

It was not Facebook’s fault. Yet, the social media giant has to face public brunt when its third-party app, UpShot, faced data leaks.

 

2019

533 million users

8

Starwood- Marriott

When the Starwood-Marriott merger was happening, hackers took benefit of the opportunity and leaked customers’ details.

 

2018

500 million users

9

AdultFriendFinder

Data collected over 20 years were in public when an adult website faced a data breach.

2016

412 million users

10

MySpace

A Russian hacker broke into the database of  MySpace and leaked information like listed name, username, and birthday.

2013

360 million

11

Exactis

Exactis, a Florida-based marketing firm, revealed its customer information like people’s phone numbers, home, and email addresses, interests, and the number, age, and gender as an after-effect of database hacking.

2018

340 million

12

Twitter

Due to a glitch in the database that stores user passwords, the user password was revealed to everyone.

 

2018

330 million users

13

NetEase

It was shocking for NetEase users to see their user passwords in hacking forums.  The organization faced a data breach and had to compromise the email and password of the users.

 

2015

234 million users

14

Sociallarks

Sociallarks, China’s growing social media platform, faced data breaches just because its servers were not using strong passwords.

 

2021

200 million users

15

Deep Root Analytics

Records of US voters were accessible easily when the database of Deep Root Analytics faced a data breach.

 

2017

200 million users

16

Experian

The hacker gets into the data records of Experian by impersonating a business selling worker and hacking information like credit card and social security numbers.

2013

200 million users

17

Adobe

Adobe users had to compromise with their personal information security when someone hacked the database and gained access to information like username and email ID.  Upon investigation, it came to the notice that the hacking happened as the website was using poor encryption. The hacker gets to know the passwords by simple guessing.

2013

213 million users

18

MyFitnessPal

The fitness app, owned by Under Armour,  leaked user information such as email addresses, login credentials, and usernames after facing a data breach. This information was stored as  SHA-1 and crypt hashes which were easy to decode. The hacker put the data for sale on the dark web.

2018

150 million users

19

MyHeritage

The genealogical service website had to disappoint its 92 million users when a hacker got access to its databases. Though the incident happened in 2017 but it wasn’t made public until 2018. The incident was first reported by a security researcher when he spotted a file on a private server featuring user details.  After the incident was reported, the company took immediate steps and carried out a proper investigation.

2018

92 million users

20

Spotify

Spotify, the live music streaming platform, fell into the nippers of a data breach when a hacker hacked its database. The total number of affected users is not revealed by the firm. The platform has to reset all of its passwords after the incident. It’s been anticipated that information like email, display image, profile image, and the playlist is exposed.

2020

Not Disclosed

21

Tufts Health Plan, Aetna, Blue Cross Blue Shield &EyeMe

Because of the phishing attack, the alliance has to leave its user data unprotected. Information like names, addresses, dates of birth, phone numbers, email addresses, vision insurance account/identification numbers, and health insurance account/identification numbers were revealed.  In some data leaks, details of passports were also revealed.

 

2020

 

484,157 Athena and 60,545 Tufts Health Plan users

22

Expedia, Hotels.com & Booking.com

These three online booking giants were victims of hacking and data breaches when the reservation platform faced a data leak.  This third-party data leak was massive and forced the auto cancelation of a few bookings. Details like the price paid per night, reservation dates, emails, names, and many more were leaked. Few customers complained that their CVV details and card details were also compromised.

2020

10 million

23

Blackbaud

This cloud-based fundraising vendor becomes a victim of ransomware at the beginning of February 2020. The incident remained unnoticed until March 2020. The vendor paid the ransom. Yet, the hacker copied over 6 million user data and leaked it later.

 

2020

Inova Health(1.5 million users), Saint Luke’s Foundation (360,212), MultiCare Foundation (300,000), Spectrum Health (52,711), Northwestern Memorial HealthCare (55,983), and Main Line Health (60,595).

24

Microsoft Exchange

Hackers identified the flaws in the Microsoft Exchange server and took advantage of the situation. There were four security flaws and bugs on the server. Because of the flaw, many small businesses, towns, cities, and State-related data were compromised. The hacker was able to gain control of the server and allowed him to steal the data. After understanding the situation, Microsoft releases the security patches for the bugs.

2021

30,000 organizations

25

T-Mobile

Though T-Mobile didn’t reveal a total number of affected users, it was confirmed that the mobile service provider faced cyber hacking. The hacker used the SIM swap or SIM hijacking technique wherein the attacker can gain full control over the attacked phone number. Customers will get messages and calls to share the information. The information exposed can be related to banks, email, name, addresses, and many more. In some cases, social security numbers (SSNs), account personal identification numbers (PIN), and account security details can be compromised.

2021

Not Disclosed

26

Collection 1

The leading cloud storage site was a victim of hacking in 2019 and had to lose information stored from 2008. The stolen information was left unprotected in a hacking forum.

 

2019

773 million users

27

US Cellular

US Cellular, the fourth leading wireless carrier, fell into the nippers of hacking and was able to scam the employees to download the malicious software. The software was downloaded on the employees’ software. The software was so powerful that once downloaded hackers were able to gain access to all the software used by the company.

2021

4.9 million

28

Town of Salem Video Game

Details of 7.6 online gamers were stolen by malicious hackers when the server, storing details like name, email ID, and password got corrupted. Other than this, information like IP addresses and security questions was also leaked.

2019

7.6 million users

29

Ascension

In this massive banking and mortgage data leak incident, more than 24 million data were left unprotected for a period of two weeks. When the source of the data leak was traced, it was figured out that there was a technical glitch in the server of the company. Financial information related to addresses, birth, social security numbers, and other financial details were revealed.

2019

24 million

30

Canva

Canva is a huge online graphic tool helping create amazing designs. Despite adopting commendable security practices, the platform suffered from a data breach that impacted 137 million users. The information compromised was related to email, cities, username, and email address.

2019

137 million users

Based on the above statistics, it’s clear why hackers have a field day when data breaches occur.

To confirm your fears, try entering your email addresses on haveibeenpwned.com to see the number of times your information has been exposed to data breaches. Chances are, if not you, then a friend or colleague has been exposed to massive breaches.

The Precarious Upshots of Password Reuse and Why Do People Still Do It

Password reuse is a common practice; more common than you could imagine. The practice has been here for a very long time. In fact, it is only recently that people are aware of the dangers of this practice and are becoming diligent to use secure and different passwords.

Microsoft confirmed that around 44 million users are reusing the passwords as of 2020. In 2019, a study on password reuse revealed that around 72% of users, participated in the study, recycle or reuse their passwords.63% of these users use exactly the same passwords for all of the accounts.

Without understanding the difference between the security or importance of these websites, users deploy the same passwords for them. This is nothing but sending a direct invitation to hackers and cybercriminals.

The survey findings also revealed that users who use different passwords have only minor alterations that can be easily decoded. For instance, they might be using [email protected] for the banking website and [email protected] for Netflix. One might think that this is a safe practice but it’s not as sharp minds of cybercriminals will decode these minor changes in a blink of an eye.

In fact, cybercriminals have become so smart that they have a list of most commonly used password combinations and hack an account instantly. Because of people’s habit of password reuse, cybercriminals have managed to complete 81% of data breaches, says Verizon’s 2020 Investigation Report.

While this practice is too common, it’s high time that one should be aware of the dangers involved and ditch this habit as soon as possible.

All these dangers of password reuse are nerve-wracking yet still people do this all the time. Why is it so? Let’s figure it out.

  • Some Systems Make it Tedious to Create New Passwords

Here is a case in mind. You visit a website, and your first attempt at a password is to add a symbol. You are prompted to add at least one lowercase, one uppercase, and a number on your next attempt.

If you are like most people, then it becomes tedious to figure out which characters are acceptable. Most probably, after a few tests, you will choose the easiest way out of the mess by reusing a password from your other sites. While you may get away with such a choice at the moment, the risks are pretty obvious.

But what if the visited website allowed special characters in their platforms. More importantly, what if they allowed you to create passwords in the best way you know how?

Well, their previous procedures may be in your best interest, but at times, the exception to unique characters and individual choices encourages the reuse of passwords.

  • The Repeat Mentality Blinds Rational Thinking

The idea of waking up one morning and not being able to remember your hundreds of passwords makes people use the same password over and over again. This also happens in public institutions where officials are afraid of not accessing essential data when it is most needed.

The reusing of passwords in government has opened opportunities for fraudsters. And the access to such delicate information has cost countries millions of dollars.

Private institutions are also bearing the brunt of reusing passwords to a hacker’s advantage. A good example is a report about Apple paying the Turkish Crime Family 401.731bitcoin to secure the information of the exposed accounts.

That being said, most of the reason hackers have access to this data is because of reused passwords. Think of it as the risk of having the same password for your iCloud and financial institution. The password repeat mentality eventually catches up with you and could cost you or your organization lots of money.

The Consequences of Using the Same Password Over and Over Again

With businesses and individuals facing the risk of losing up to $4million every year due to leaked passwords and credentials, it’s only essential to learn how to keep accounts safe.

But first, let’s look at why most people reuse passwords even with all the risks associated with them.

  • You Put Multiple Accounts at Stake Simultaneously 

If you are in the habit of reusing passwords, then getting out of it is not easy. This is especially so if you have numerous sites spread out across different platforms. For example, if you are required to share credentials to view an e-book on a website, your first choice would be to use a password you know.

But here’s the catch, what if the email, login, or password are the same as what you use on your bank account. Well, then this becomes an issue because in case of a hacking attempt on the initial website, then your sensitive information is at risk.

A cybercriminal with this information will primarily target most of your sites and render havoc on your operations. The consequences of this are a loss of money, time, and peace of mind when reverting your accounts to normalcy.

Also, reusing passwords rains terror on companies and brands that haven’t been keen on password security. Unfortunately, some of the significant risks of reusing passwords also affect companies that are well aware of the dangers.

An example in this category is information security companies. Even with 45% of information security personnel admitting to knowing the risks of reusing passwords, it’s still a habit that’s yet to die completely.

  • More Possibilities Of Hacking Attacks Incidents 

We have already quoted above that password reuse is an open invitation to online thugs and cybercriminals. It makes their job easier than ever. If they manage to decode one password, they will be able to break into all of your accounts. They can steal money from a bank account, shop from your Amazon account, post-offensive content from your Facebook account, and use your Netflix account while you pay for it.

It’s just the trailer. Based upon the dexterity of the hacker, you can end up facing hell on earth once your account is hacked.

For enterprises, hacking off a reused password will put the entire database and organization’s integrity at stake. Employee and partner details will be compromised as well. There is no looking back from there.

  • Increased vulnerability towards password-guessing and brute force attack 

With password reuse, hackers will have a strong database and they have a chance to make their brute force technique stronger than ever. For instance, it was a common belief that using an alphanumeric password is hard to guess and will prevent hacking attacks. But, with time, the practice became saturated and people started using easy combinations like admin123 or john12. Such easy passwords were not at all difficult to handle. They manage to do a brute force attack on the alphanumeric passwords too.

The more incidents of brute force, password stuffing, and password guessing are occurring, hackers’ databases are increasing. With each breach, they get to learn a new password and have an opportunity to understand the user mentality. It makes them more confident and more notorious.

  • Loss of Crucial Data 

In a data-driven world, no business can afford to lose business-critical data. But, when you reuse a password, you pave the path for this. When a hacker decodes your reused password, s/he is not going to put all the effort into anything. S/he will surely steal data or financial credentials.

Stolen customer or employee data is used in multiple ways. For instance, they sell that data to their competitors for huge compensation. Some even post the data on the dark web for free just to prove their expertise and fetch big projects. Recently in 2021, a hacker posted details of 500 million LinkedIn profiles on the Dark Web. The hacker sold such huge data at $2 just to prove the inherited excellence and data authenticity.

Similarly, 1.3 million scrapped data of Club House was leaked free on a popular hacking platform.

How to Manage Your Accounts Safely

The safety of your accounts depends on the applications you use for your passwords. Here are three applications that can limit access to your accounts.

  • Use the Two-Factor Authentication

Luckily, most sites are now offering two-factor authentication (2FA). With 2FA, your SMS service or email account acts as a second form of identification. This means that every time you, or someone else, tries to access a site from a new device or location, an SMS or email is sent to your registered account.

Another additional feature of 2FA is the temporary or one-off passcode. The passcode ensures that a hacker has little to no chance of accessing your sensitive data as long as the second factor is unavailable.

Apart from the 2FA, you can choose to strengthen your account security by using the authenticator app. The app is available mainly for Google and Microsoft accounts.

  • Enable Password Manager

If you haven’t been using the password manager, then you’ve probably been missing out on an excellent opportunity to boost your online safety. The best part about a password manager is that it can generate complex passwords for you. Even better is how it saves the passwords, so you don’t have to remember them every time.

The most exciting bit about a password manager is also that it is protected by one master password. This means that you only need to keep this key password in mind since it opens you to the other passwords. Having a password manager is a sure way of staying clear of reusing passwords on different websites.

Other Steps to Follow to Make Your Password More Secure

Apart from the applications or software mentioned above, other day-to-day practices can secure your accounts.

  • Delete Accounts You no Longer Use

Deleting dormant accounts gives you fewer passwords to worry about and fewer accounts to maintain. This enables you to keep tabs on any hack attempts and mitigate risks on time.

  • Check Passwords Continuously

This mainly applies to companies that carry out regular password updates. Before updating the passwords on official sites, ensure they aren’t compromised. It’s also important to emphasize the importance of unique and strong passwords to your team for every online site.

  • Ditch the Old Habits

Based on the Google Survey, it is estimated that 26% of users continued using old passwords even after reports of data breaches. Reluctance was one of the reasons for the behavior. If we are to get over the risks of reusing passwords, then old habits must die first.

  • Don’t Use Passwords on Unsecured Devices and Networks

Public Wi-Fi and shared computers are a threat to online security. Ensure access to sensitive accounts is only made through secure networks. If you must use public platforms, log off and don’t save passwords on the devices. Also, consider using a VPN to mask your computers’ IP address.

Conclusion

The first step to proper management of online accounts is by understanding the risk of reusing passwords. Though this habit may not die on the first try, creating unique passwords is the only sure way of keeping your sensitive information safe.

Related Articles:

FAQs

How to keep track of passwords without reusing them?

The best way to keep track of your passwords is to use a password manager. A password manager stores your passwords in one place, so it’s easy to confirm the status at all times. Also, the automatic suggestions ensure you have unique passwords across different platforms.

 

Comments

Write a comment

Your email address will not be published. Required fields are marked *