Cybersecurity Experts Discover Over 9 Billion Compromised Login Credentials From 640 Unique Data Breaches

We all know that we can do better with how we manage passwords, handle data breaches, or deal with account hijacking after hackers steal login credentials. Unfortunately, although we have the knowledge, we do not always apply it. We continue reusing or rotating passwords, we do not address data breaches quickly enough, and we certainly do not spend time analyzing the security features and tools that different services provide us. No wonder 2019 was a terrible year for cybersecurity. According to the SpyCloud’s 2020 Annual Credential Exposure Report, data recorded by the company shows that over 9 billion login credentials had fallen into the hands of cybercriminals in 2019. These credentials were stolen using 640 unique data breaches that affected 270 million users worldwide.

Researchers have discovered four main credential exposure trends. According to them, hackers now have access to more data, people continue reusing passwords, data that was stolen by cybercriminals before 2019 is still in use, and more data breaches have been linked to vulnerable servers. Unfortunately, it has been discovered that hackers stole login credentials much more efficiently in 2019 than ever before. If compared to 2018, the number of stolen login credentials increased by 157% (from 3.5 billion). Although regular users like you and me are not always in control of what data is stolen, we certainly have many tools around us that can help strengthen data security. Continue reading, and you will learn all about it.

We Continue to Reuse and Rotate Passwords

It is no surprise at all that people are reusing or rotating passwords. We have been talking about this for years now. The numbers gathered by SpyCloud, however, have revealed the ugly truth of how common password reuse truly is. According to researchers, out of the 9 billion credentials that were breached, 29% of passwords were reused on multiple accounts. Out of those 29%, 94% were exact matches, 4% had one or two numbers added, and 2% had letters capitalized. Unfortunately, people continue to believe that password, password1, password123, and Password123 are good enough and unique enough passwords to secure their accounts. They certainly are NOT. And if you do not believe that these are actual passwords that people use today, you can check the worst passwords of 2019 list. When you look at it, things make sense. Cybercriminals do not even need to type in passwords by hand. All they have to do is use software and hardware dedicated for guessing and brute-forcing login credentials. All in all, it is no wonder that hackers steal login credentials. It’s like taking candy from a small child.

We Are Not Aware of the Security Features and Tools Available to Us

If you have accounts on Twitter, Instagram, TikTok, WhatsApp, Facebook, three different email providers, several online banks, YouTube, Netflix, Disney+, HBO, Spotify, Viber, Pinterest, Snapchat, and perhaps 57 other services, there is a good chance that you have not taken your time to learn about the different security features and tools that are available to you. That is a huge mistake. Especially if your password is weak to begin with. Two-factor authentication and multi-factor authentication are not invincible, and cybercriminals keep finding new ways to, for example, intercept text messages to hijack verification codes. That being said, there are plenty of ways to strengthen the security of your accounts. First and foremost, of course, you want to make your passwords strong. Beyond that, you want to enable additional authentication methods, set up alerts when someone signs in from an unknown device or a different country, and check how to use the log out of all devices feature if possible. Different services present different tools, and so setting them up can be a hassle, but your security is worth the trouble. Trust us.

Alicia Hope at CPO Magazine spoke to the chief product officer and co-founder of SpyCloud, David Endler. He claims that passwords are not going anywhere, which means that we need to make them strong. Endler suggests ditching 90-day password rotation protocols, enabling additional authentication features, and also employing password managers: “The security community has for a long time recommended password managers, but we need to be more vocal about them, and even offer them as an employee benefit to encourage strong password hygiene.” The Cyclonis Password Manager is a well-rounded tool that can help any Windows/Mac/Android/iOS user create the most secure passwords imaginable. It also protects them.

Companies Do Not Take Care of Their Businesses and Customers

Sadly, even if you set up a strong password and successfully utilize additional security measures to secure your accounts, you could still be affected by a data breach. It all comes down to how experienced and aggressive the attackers are and how the service provider has secured customer data. Unfortunately, massive data breaches that affect millions of clients are reported weekly. Facebook, Yahoo, Marriott International, Adobe, and Equifax have all experienced massive data breaches that millions of people have been affected by. Here are the top 5 biggest data breaches of 2019. These breaches are enabled by various vulnerabilities that companies manage to overlook. Unfortunately, data breaches turn into disasters if hackers steal login credentials during them. That is not possible if passwords are secured properly.

According to SpyCloud, companies often mistakenly assume that hashed passwords are protected passwords. Also, they often rely on the weakest hashing methods available to them, which only makes matters worse. The research has revealed that only 44% of all passwords are hashed and salted, which is already a problem. Out of the 44%, 53% are hashed using SHA1 and MD5 methods, that, allegedly, are ineffective and can be cracked in minutes or even seconds. Once the hash is cracked, the password is left in plain-text, which means that it can be read and used for hijacking accounts and terrorizing users. Also, companies often leave the servers that store user data without proper protection. Hackers can often log into them using easy-to-guess login combinations, such as admin and password123.

Speaking of poor password management, companies often sell products with weak default passwords that users are not obligated to change. Unfortunately, users are often clueless about virtual security, and they do not change default passwords without realizing that cybercriminals can take over. Companies also do not force additional security layers on their users. Of course, it is up to users themselves to decide whether or not they want to add additional email addresses or telephone numbers that could help recover accounts or be used to send verification codes to. However, because users are not naturally inclined to take good care of their accounts, companies should be more insistent. Or clever. For example, Epic Games is now offering free games for those who enable two-factor authentication.

The bottom line is that while regular users are not in full control of what happens to personal data during data breaches, there are various ways and multiple tools to aid in the protection of personal accounts.