searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Newsletters
  • (IN)SECURE Magazine

Featured news

  • April 2021 Patch Tuesday forecast: Security best practices
  • Having a cybersecurity training program in place isn’t enough to ensure cyber safety
  • Cybersecurity threats and cybercrime trends of 2020
  • Most organizations have already migrated to a cloud VPN
  • Remote work: One of the legacies of the pandemic
Help Net Security
Help Net Security
March 5, 2021
Share

Credential exposure trends: You need a better password

SpyCloud researchers recovered more than 4.6 billion pieces of personally identifiable information and nearly 1.5 billion stolen account credentials from 854 breach sources in 2020, the company announced in its 2021 Credential Exposure Report.

Credential exposure trends

Credential exposure trends

The number of breach sources increased 33% over 2019, with an average 2020 breach size of 5,455,813 records. Only 200 contained between 1 million and 50 million records, and just 17 had more than 50 million records.

The 1,486,416,779 exposed credentials include email addresses or usernames connected to plaintext passwords. For users with more than one password collected last year, researchers found that 60% of the credentials were reused across multiple accounts, making them ripe for account takeovers and password spraying attacks.

This password reuse rate, which is unchanged from last year, reflects how easy it is for an attacker to use one stolen password to compromise more than one account. By analyzing the number of times an email address appears across breaches, SpyCloud estimates that the average person if exposed once will be included in 8-10 others, and 3-4 of those could be within a given year.

“These staggering numbers indicate a continued threat for account takeovers, identity theft and fraud at a time when people have been spending more time online during the COVID-19 pandemic,” said David Endler, Chief Product Officer, SpyCloud. “Criminals didn’t stop for the coronavirus. In fact, attackers have been able to use the disruption of the pandemic to their advantage.”

The data recovered by SpyCloud researchers includes more than 4.6 billion pieces of personally identifiable information (PII), including names, addresses, birthdates, job titles, social media URLs and nearly 1.3 billion phone numbers. Criminals use PII to create fake accounts or steal someone else’s identity and then apply for lines of credit, intercept tax refunds, drain bank accounts and more. With as little as one or two pieces of PII, they can compromise a person’s identity.

Despite years of advice about the importance of strong passwords, people inevitably end up reusing or recycling the same credentials for multiple sites. Outdated password complexity requirements have complicated the issue by providing people with a false sense of security when they recycle a favorite password with a few simple changes, like capitalizing the first letter and adding a 1 or ! at the end.

Industry standards call for organizations to convert plaintext passwords into hashes so if they are breached, criminals can’t easily access the passwords themselves. But some hashing algorithms are computationally harder to crack than others. Unfortunately, even the strongest hashing algorithm means little when users make weak or common password choices.

Older breaches, which are more likely to have been hashed using now-outdated algorithms (e.g. MD5, SHA1, etc.), can help criminals launch association attacks against harder to crack breaches and confirm whether users are still recycling old passwords.

“People have no control over whether a website uses a weak or strong hashing algorithm, and rarely do websites publicize that information,” Endler said. “As smart consumers, we need to take personal responsibility for setting strong, unique and complex passwords to protect ourselves because, as the data shows, we can’t expect websites and companies to do it for us.”

Other key findings:

  • Topical passwords – Not surprisingly, passwords frequently reflected current events. More than 1.6 million passwords included “2020.” Another 107,595 included “corona,” “virus” or “coronavirus.” Thousands more were found using “Trump,” “Biden,” “BLM,” “vote” and “mask.”
  • Most common passwords – As usual, the most common password found was “123456,” followed by “123456789” and “12345678.” “Password” and “111111” showed up more than 1.2 million times each.
  • Government accounts exposed – SpyCloud found 269,690 sets of credentials for .gov accounts. Password reuse for .gov emails was 87%, 27 points higher than the overall reuse rate.
More about
  • account protection
  • credentials
  • cybersecurity
  • privacy
  • report
  • SpyCloud
  • survey
Share this
patch

April 2021 Patch Tuesday forecast: Security best practices

  • 4 things you can do to minimize cyberattacks on supply and value chains
  • Cloud-native watering hole attack: Simple and potentially devastating
How do I select an attack detection solution for my business?

What's new

infosec products of the week

New infosec products of the week: April 9, 2021

light

Having a cybersecurity training program in place isn’t enough to ensure cyber safety

patch

April 2021 Patch Tuesday forecast: Security best practices

snake

Cybersecurity threats and cybercrime trends of 2020

Don't miss

patch

April 2021 Patch Tuesday forecast: Security best practices

infosec products of the week

New infosec products of the week: April 9, 2021

Office 365

Office 365 phishing campaign uses publicly hosted JavaScript code

idea

4 things you can do to minimize cyberattacks on supply and value chains

cloud

Cloud-native watering hole attack: Simple and potentially devastating

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Newsletters
  • Twitter

In case you’ve missed it

  • How do I select an attack detection solution for my business?
  • Zero Trust creator talks about implementation, misconceptions, strategy
  • How do I select a bot protection solution for my business?
  • With data volumes and velocity multiplying, how do you choose the right data security solution?

(IN)SECURE Magazine ISSUE 68 (March 2021)

  • Physical cyber threats: What do criminals leave when they break in?
  • Review: Group-IB Fraud Hunting Platform
  • Tips for boosting the “Sec” part of DevSecOps
Read online
© Copyright 1998-2021 by Help Net Security
Read our privacy policy | About us | Advertise