We’re nearing the end of 2020 (thank gawd!), and the year-end lists are starting to come in. One of our first comes from Dashlane, a password management solution app for both individuals and businesses. As one would suspect, their list highlights the worst password offenders of 2020.
This year was especially hard due to the number of people being forced to work from home or students being shifted to online learning. As a result, it’s no surprise that the two companies at the top of the list are socially related.
“Just because more of our lives are now online doesn’t mean the digital world has become safer—everyone needs to remember proper password hygiene and implement cybersecurity-related best practices. Using a password manager like Dashlane to keep your information secure—whether you’re an individual or a business—will help alleviate the pain of any future breaches or password disasters.”Jay Leaf-Clark, Dashlane Head of IT
Let’s check out the top 10 worst password offenders according to Dashlane, starting with the worst: Twitter.
- Twitter Employees: In July, a small number of Twitter employees fell victim to one of the oldest tricks in the book: phishing. The attack, orchestrated by a 17-year-old Florida high-schooler, saw several employees ‘reset their passwords’ on a dummy site that, in addition to collecting login information, extracted multifactor authentication codes. From there, 130 verified accounts belonging to Barack Obama, Elon Musk, Bill Gates, Joe Biden, and more began to post Bitcoin scams. Twitter scrambled to identify where and how the breach occurred—and rushed to stop it. Their approach? Mandate every one of their thousands of employees change their passwords—manually and monitored. A little tweeting bird told us that enterprise password management could be much easier.
- Zoom Users: Just as we were adjusting to the realities of remote work and being on camera all day, half a million Zoom credentials were posted for sale on the Dark Web in April. Hackers used several ways in, including credential stuffing and deployment of multiple bots, to capitalize on Zoomers’ weak and re-used passwords, potentially compromising more of these users’ accounts across the web. At the risk of causing (Zoom) fatigue, a gentle reminder: strong and unique passwords are table stakes.
- EasyJet: EasyJet, the UK-based budget airline, unveiled a hidden high-cost of its discount tickets: stolen personal data. A cyberattack compromised 9 million EasyJet travelers’ emails and itineraries, with over 2,000 customers’ credit card details breached. Equally cringe-worthy: EasyJet told the BBC that they became aware of the hack in January, though customers whose payment details were snagged weren’t notified by the company until April.
- Experian: Repeat 2017 Worst Password Offender and the world’s largest credit bureau Experian suffered a major breach of its South African branch after handing over personal information to a client impersonator. The resulting cyberattack affected an estimated 24 million South Africans and 800,000 businesses who have to pick up the pieces after this jarring experian-ce.
- Marriott: Starwood, the parent company of the Marriott megachain, was still recovering from a 2018 data breach when another 5.2 million Marriott guests were involved in a January hack. The culprit? Compromised Marriott employee login credentials. Say it with us now: strong and unique passwords are a must, for work and beyond.
- Nintendo Gamers: Those who made the switch to more gaming during lockdown faced an unexpected level: 300,000 Nintendo gamers experienced unauthorized logins to their accounts. Whether through credential stuffing or brute force, gamers with weak or reused passwords got wrecked. Unfortunately, this makes Nintendo a Nintend-no.
- Home Chef: In trying to make the new 2020 routine a little easier, millions flocked to meal delivery companies like Home Chef. Unfortunately, 8 million of those users’ records ended up for sale on the Dark Web. Home Chef wasn’t the only one making our stomachs turn—250K users of fellow meal kit service and dishonorable mention Instacart saw their credentials go up for sale on the Dark Web too.
- Zoosk: In dating, it’s important to put yourself out there—but that doesn’t mean you want sensitive personal details for sale on the Dark Web. Zoosk, an online dating service, fell victim to a May cyber attack compromising over 200 million user records, including personal information like gender and date of birth.
- Minted: Remember that one art print you bought three years ago? Some of us paid twice for our purchases—the original fee, plus our data being breached. Nearly 5 million of us, in fact. If you’re going to make a new account—especially for a site you probably won’t use frequently—use a password generator to help you stay secure (and a password manager to keep track of it all).
- Day traders: Thousands of Robinhood customers were victims of cybertheft in October after hackers gained access to and drained their accounts. The online brokerage initially blamed its users’ previously-compromised credentials instead of its own security infrastructure, but some customers say there’s no sign of their emails being compromised. One thing we know for sure: Nothing stinks more than losing out on your stonks’ returns.
Password targeted breaches are something we have to live with in this cyber age. As Dashlane mentions, you can take some easy steps to reduce the risk that you fall victim to a password breach. These include using random and different passwords for EACH account, turning on two-factor authentication (2FA), getting a password manager (like Dashlane), and signing up for the company’s new Breach Alerts.
Last Updated on February 3, 2021.