Experian, Nintendo, and Marriott Also Appear in Fifth Annual Rankings
NEW YORK, December 3, 2020 — Dashlane today announced its fifth annual list of the year’s “Worst Password Offenders.” As our lives have migrated almost entirely online due to the pandemic, the list highlights the companies and organizations with the most significant password-related mishaps of 2020.
Social networking may have kept us connected in the year of Covid-induced social distancing, but unfortunately Twitter and Zoom (which took the #1 and #2 spots on this year’s list) allowed their employees and users to fall victim to cyber attacks by using weak passwords. In addition, other big names in the world of travel, gaming, and home delivery, also fell victim to hacks. When a hacker gains access to your username or email and password from a single compromised database, they can use that information to access other accounts.
The Worst Password Offenders list serves as an annual reminder for how easy it is to make an internet faux pas, even when we think we’re protected. Dashlane data shows the average internet user has over 200 digital accounts that require passwords, a figure projected to double to 400 in the next five years.
“Just because more of our lives are now online doesn’t mean the digital world has become safer—everyone needs to remember proper password hygiene and implement cybersecurity-related best practices,” said Dashlane’s Head of IT, Jay Leaf-Clark. “Using a password manager like Dashlane to keep your information secure—whether you’re an individual or a business—will help alleviate the pain of any future breaches or password disasters.”
Dashlane’s “Worst Password Offenders” of 2020, beginning with the worst:
- Twitter Employees: In July, a small number of Twitter employees fell victim to one of the oldest tricks in the book: phishing. The attack, orchestrated by a 17-year-old Florida high-schooler, saw several employees ‘reset their passwords’ on a dummy site that, in addition to collecting login information, extracted multifactor authentication codes. From there, 130 verified accounts belonging to Barack Obama, Elon Musk, Bill Gates, Joe Biden and more began to post Bitcoin scams. Twitter scrambled to identify where and how the breach occurred—and rushed to stop it. Their approach? Mandate every one of their thousands of employees change their passwords—manually and monitored. A little tweeting bird told us that enterprise password management could be much easier.
- Zoom Users: Just as we were adjusting to the realities of remote work and being on camera all day, half a million Zoom credentials were posted for sale on the Dark Web in April. Hackers used several ways in, including credential stuffing and deployment of multiple bots, to capitalize on Zoomers’ weak and re-used passwords, potentially compromising more of these users’ accounts across the web. At the risk of causing (Zoom) fatigue, a gentle reminder: strong and unique passwords are table stakes.
- EasyJet: EasyJet, the UK-based budget airline, unveiled a hidden high-cost of its discount tickets: stolen personal data. A cyberattack compromised nine million EasyJet travelers’ emails and itineraries, with over 2,000 customers’ credit card details breached. Equally cringe-worthy: EasyJet told the BBC that they became aware of the hack in January, though customers whose payment details were snagged weren’t notified by the company until April.
- Experian: Repeat 2017 Worst Password Offender and world’s largest credit bureau Experian suffered a major breach of its South African branch after handing over personal information to a client impersonator. The resulting cyberattack affected an estimated 24 million South Africans and 800,000 businesses who have to pick up the pieces after this jarring experian-ce.
- Marriott: Starwood, the parent company of the Marriott megachain, was still recovering from a 2018 data breach when another 5.2 million Marriott guests were involved in a January hack. The culprit? Compromised Marriott employee login credentials. Say it with us now: strong and unique passwords are a must, for work and beyond.
- Nintendo Gamers: Those who made the switch to more gaming during lockdown faced an unexpected level: 300,000 Nintendo gamers experienced unauthorized logins to their accounts. Whether through credential stuffing or brute force, gamers with weak or reused passwords got wrecked. Unfortunately, this makes Nintendo a Nintend-no.
- Home Chef: In trying to make the new 2020 routine a little easier, millions flocked to meal delivery companies like Home Chef. Unfortunately, eight million of those users’ records ended up for sale on the Dark Web. Home Chef wasn’t the only one making our stomachs turn—250K users of fellow meal kit service and dishonorable mention Instacart saw their credentials go up for sale on the Dark Web too.
- Zoosk: In dating, it’s important to put yourself out there—but that doesn’t mean you want sensitive personal details for sale on the Dark Web. Zoosk, an online dating service, fell victim to a May cyberattack compromising over 200 million user records, including personal information like gender and date of birth.
- Minted: Remember that one art print you bought three years ago? Some of us paid twice for our purchases—the original fee, plus our data being breached. Nearly five million of us, in fact. If you’re going to make a new account—especially for a site you probably won’t use frequently—use a password generator to help you stay secure (and a password manager to keep track of it all).
- Day traders: Thousands of Robinhood customers were victims of cybertheft in October after hackers gained access to and drained their accounts. The online brokerage initially blamed its users’ previously-compromised credentials instead of its own security infrastructure, but some customers say there’s no sign of their emails being compromised. One thing we know for sure: nothing stinks more than losing out on your stonks’ returns.
Don’t Become a Dishonorable Mention.
Learn from the mistakes of this year’s Worst Password Offenders—including the President of the United States, who allegedly used the all-too-easy-to-guess maga2020! as his Twitter password—and implement the following best practices to stay off future lists:
- Use random and different passwords for every account: Password reuse is an epidemic. Repeating the same password across your accounts is a lot like using the same key for your house or your car. If someone gets a hold of those keys, they now have access to everything you want to keep safe. Hackers can use passwords from compromised accounts to easily access other accounts. The only protection against this is to have random and different passwords for every account. Random keeps you secure.
- Turn on two-factor authentication (2FA): 2FA is a feature that adds an additional “factor” to your normal login procedure to verify your identity. 2FA adds an extra layer of security by verifying your identity using two of three possible identifiers: something you know (your password, PIN number, zip code, etc.) something you are (via facial recognition, your fingerprints, retina scans, etc.), or something you have (a smart card, your smartphone, etc.). Most apps or websites will verify you via an email or a text message sent to your phone.
- Get a password manager. Now. Ditch the notebook, Excel grid, Post-It, or whichever patented password management “method” you’re currently using. A password manager is literally the only way to safely and conveniently manage wildly complicated and unique passwords for an unlimited number of accounts, while providing automatic logins and secure autofill of personal and payment information.
- Sign up for breach alerts. Dashlane helps you learn what to do if your information has been compromised. By signing up for the new Breach Alerts, Dashlane will alert you if any of your data is found on the Dark Web, and keep an eye out for breaches that may affect you in the future.
Want to protect your business from password gaffes? Stay off next year’s list by downloading our white paper to learn more: Password Management 101: Why Passwords are the Weak Link in Company Security.