SpyCloud researchers recovered more than 4.6 billion pieces of personally identifiable information and nearly 1.5 billion stolen account credentials from 854 breach sources in 2020, the company announced in its 2021 Credential Exposure Report.
Credential exposure trends
The number of breach sources increased 33% over 2019, with an average 2020 breach size of 5,455,813 records. Only 200 contained between 1 million and 50 million records, and just 17 had more than 50 million records.
The 1,486,416,779 exposed credentials include email addresses or usernames connected to plaintext passwords. For users with more than one password collected last year, researchers found that 60% of the credentials were reused across multiple accounts, making them ripe for account takeovers and password spraying attacks.
This password reuse rate, which is unchanged from last year, reflects how easy it is for an attacker to use one stolen password to compromise more than one account. By analyzing the number of times an email address appears across breaches, SpyCloud estimates that the average person if exposed once will be included in 8-10 others, and 3-4 of those could be within a given year.
“These staggering numbers indicate a continued threat for account takeovers, identity theft and fraud at a time when people have been spending more time online during the COVID-19 pandemic,” said David Endler, Chief Product Officer, SpyCloud. “Criminals didn’t stop for the coronavirus. In fact, attackers have been able to use the disruption of the pandemic to their advantage.”
The data recovered by SpyCloud researchers includes more than 4.6 billion pieces of personally identifiable information (PII), including names, addresses, birthdates, job titles, social media URLs and nearly 1.3 billion phone numbers. Criminals use PII to create fake accounts or steal someone else’s identity and then apply for lines of credit, intercept tax refunds, drain bank accounts and more. With as little as one or two pieces of PII, they can compromise a person’s identity.
Despite years of advice about the importance of strong passwords, people inevitably end up reusing or recycling the same credentials for multiple sites. Outdated password complexity requirements have complicated the issue by providing people with a false sense of security when they recycle a favorite password with a few simple changes, like capitalizing the first letter and adding a 1 or ! at the end.
Industry standards call for organizations to convert plaintext passwords into hashes so if they are breached, criminals can’t easily access the passwords themselves. But some hashing algorithms are computationally harder to crack than others. Unfortunately, even the strongest hashing algorithm means little when users make weak or common password choices.
Older breaches, which are more likely to have been hashed using now-outdated algorithms (e.g. MD5, SHA1, etc.), can help criminals launch association attacks against harder to crack breaches and confirm whether users are still recycling old passwords.
“People have no control over whether a website uses a weak or strong hashing algorithm, and rarely do websites publicize that information,” Endler said. “As smart consumers, we need to take personal responsibility for setting strong, unique and complex passwords to protect ourselves because, as the data shows, we can’t expect websites and companies to do it for us.”
Other key findings:
- Topical passwords – Not surprisingly, passwords frequently reflected current events. More than 1.6 million passwords included “2020.” Another 107,595 included “corona,” “virus” or “coronavirus.” Thousands more were found using “Trump,” “Biden,” “BLM,” “vote” and “mask.”
- Most common passwords – As usual, the most common password found was “123456,” followed by “123456789” and “12345678.” “Password” and “111111” showed up more than 1.2 million times each.
- Government accounts exposed – SpyCloud found 269,690 sets of credentials for .gov accounts. Password reuse for .gov emails was 87%, 27 points higher than the overall reuse rate.