From elected officials to everyday users, the risks of having easily guessed passwords are real.
Weak passwords are often the root cause of data breaches, hacks, and other cybersecurity incidents. They’re the weak link in the chain, easily guessable by hackers looking to brute force their way into a business or individual’s online accounts. Once inside, they can wreak havoc as they maraud around an internal server, obtaining information about their target and using it to launch further attacks.
Around one in three respondents to a Bitwarden survey said that they’d experienced a data breach in the last 18 months because of a poor password choice. Picking a commonly used password, or a simple one for your key accounts, is a surefire way to find yourself in trouble.
It’s a story that has repeated itself time and time again throughout history. Large companies, small organisations and governments have all fallen victim to major hacking incidents, in large part because their passwords weren’t good enough.
Let’s look at four of the most glaring examples of poor password hygiene leading to cybersecurity incidents:
1. The Northern Irish parliament, 2018
In 2018, the elected officials of the Northern Irish parliament found that a number of their accounts had been affected by a brute force attack. Hackers had guessed their passwords from a list of commonly used ones, and gained entry into parliamentary systems. Once inside, hackers used their skills to access the mailboxes of assembly members – which contained potentially private information, including from their constituents. It was a damning indictment of the level of security some politicians put on their passwords, with members advised not to use basic, single-word varieties.
2. Taobao customers, 2016
One of the biggest brute force attacks with weak passwords leading to a major hacking incident occurred in 2016. In this incident, 21 million user accounts were directly compromised by an attack that targeted easy-to-guess passwords. Once in, the hackers found a goldmine, gaining further unauthorized access to 99 million usernames and passwords. The reason that the attackers succeeded was twofold. First, many users had deployed the same password for Alibaba-owned Taobao as they did on other accounts, which had been previously compromised. And second, a huge number of users had simple passwords that are commonly used and easily guessable.
3. GitHub, 2013
Often seen as the exemplar of brute force attacks against weak passwords, the 2013 attack on code repository GitHub enabled hackers to subvert the safety methods established by the site to store passwords securely. After the attack was launched, which affected an unknown number of users because GitHub declined to share this information, researchers carried out a post-mortem of the attack. They identified an astonishing number of brute force login attempts executed from nearly 40,000 separate IP addresses.
4. The Canadian Revenue Agency, 2020
A more recent password-related attack hit the Canadian Revenue Agency (CRA) in August 2020. As part of the digitalisation of government services, ordinary Canadians had been encouraged to adopt digital alternatives to filing key revenue documents. They were also advised to use a tool called GCKey, the Government of Canada’s Key service. The GCKey acted as a one-stop shop to access government services across the country. This worked well in principle, but not when it became subject to a massive hack that granted the attacker access to linked user profiles. In all, over 11,000 accounts were compromised in the brute force attack, which targeted weak passwords specifically. But what was the way in? As with many of these things, the hackers took advantage of previously compromised account details.
Your email address will not be published. Required fields are markedmarked