In 2013, World Password Day was introduced by Intel to raise awareness on the role strong passwords play in safeguarding our digital lives.
The event, which falls on every first Thursday in May, invites users to evaluate their own security measures and take the necessary steps to protect their accounts.
Simply using lengthier passwords consisting of unique characters is no longer sufficient today as users are advised to turn on multi-factor authentication for better protection.
Experts also urge users not to recycle passwords as they may have been inadvertently exposed in data breaches, and to utilise other security measures such as biometrics authentication using fingerprints or facial recognition wherever possible.
Here are some recent cybersecurity incidents involving bad password habits to convince you to make the change.
As easy as 123
First reported in 2020, the SolarWinds hack has been described as one of the most devastating security breaches in US history.
According to a Reuters report, hackers breached SolarWinds’ software and could have gained access to an estimated 18,000 companies and multiple US government agencies that used its products. These included emails at the US Treasury, Justice and Commerce departments, among others. A subsequent investigative report published by the company claimed that fewer than 100 customers were actually affected by the hack.
Investigations into the cause of the hack led to the initial discovery that SolarWinds had suffered a lapse in password security back in 2019, when an intern allegedly posted the password “solarwinds123” onto their private Github account.
The researcher who found the leaked password, Vinoth Kumar, told CNN that the password had been accessible online since 2018 and that by using the password, he was able to log in and deposit files onto the company’s server.
He warned that any hacker could upload malicious programs to SolarWinds using the tactic.
SolarWinds CEO Sudhakar Ramakrishna later admitted that the password had been in use from as far back as 2017 and that he had taken measures to fix the issue.
The company later issued a statement stating that the password had not played a role in the 2020 hack, adding that the password had in fact been used for a separate third-party vendor application which had no access to SolarWinds’ IT systems. To date, the company has not determined the exact cause of the breach.
Hackers based in Switzerland were able to gain access to over 150,000 Internet-connected security cameras operated by US company Verkada in 2021.
Hacktivist group APT-69420 told CBS News that the group discovered a Verkada administrator username and password stored on an unencrypted subdomain.
“We do scans for very broad vectors looking for vulnerabilities. This one was easy. We simply used their web app the way any user would, except we had the ability to switch to any user account we desired. We did not access any server. We simply logged into their web UI with a highly privileged user (account),” group representative Till Kottmann said.
The hack exposed security videos belonging to companies like Tesla and even footage from a prison facility. Kottman said the group is not motivated by money as they wanted to highlight how easy it was to access online cameras in private locations.
She also described security on Verkada systems as “non-existent and irresponsible”.
The company told CBS News that they disabled all internal administrator accounts to prevent unauthorised access after the hack was reported.
All it took was one stolen email password for a hacker to gain access to the computer system of New York City’s Law Department.
The New York Times said the June 2021 hack was also enabled by the department’s failure to implement multi-factor authentication despite it being a city-wide directive which was first announced in 2019.
After the breach was discovered, the department announced that it had to limit access to its networks to bolster its security. As a result the city’s attorneys were unable to remotely access documents and case files, and as most could not go to the office during the pandemic, that slowed down the city’s legal work.
In addition, the personal data of its employees may also have been exposed due to the breach.
One month after the breach, the New York Times revealed that the fallout from the hack may in fact continue to vex the 1,000-lawyer agency for much longer than initially expected. No ransom demand was reported.
In 2013, a Ticketmaster employee started using login credentials from his former company to illegally access accounts on an app that the rival company used to track ticket sales. He also provided details such as confidential URLs, financial documents and draft web pages built for artistes by his former employers to Ticketmaster.
According to a report by ZDNet, Ticketmaster used the information to benchmark its own performance against the company, which is considered a rival in the ticketing business, and used it in sales pitches.
The scheme was uncovered in 2015 after the rival company went out of business and launched an antitrust lawsuit against Ticketmaster. Variety reported that Ticketmaster paid a US$10mil (RM42mil) fine in 2020 to avoid prosecution over charges that it illegally accessed the rival company’s systems. Employees involved in the scheme were also fired.