Top 10 password offenders 2021: worst password misfortunes of the year

Updated on: 14 March 2022

Jurgita Lapienytė
Chief Editor

Poor and reused passwords cause a whopping 80% of data breaches. In 2021, we mark some of the worst password mishaps in this century.

Dashlane, a password manager and digital wallet application, released its sixth annual list of the year’s worst password offenders, highlighting the companies and organizations with the most significant password-related misfortunes of 2021.

“Password breaches are serious — even a small vulnerability can cause serious damage to both individuals and organizations. Companies need to remember the importance of creating a culture of security to protect valuable company data, and individuals need to stay informed on the latest phishing scams to avoid losing control over their personal information,” JD Sherman, CEO of Dashlane, told CyberNews.

According to the company, the list serves as a reminder of how easy it is to make an internet faux pas, even when we think we’re protected. Verizon’s 2021 Breach Investigations report shows that the average cost of a data breach is $4.24 million and that 80% of breaches are caused by weak, reused, and stolen employee passwords.

Here are the worst password misfortunes of the year, according to Dashlane:

1. SolarWinds: Top executives of SolarWinds believe that the root cause of the supply chain attack was an intern who has used a weak password for several years. The initial investigation suggested that the password “solarwinds123” was publicly accessible via a misconfigured GitHub repository since June 17, 2018.

2. COMB: It's being named the biggest breach of all time and the mother of all breaches: COMB, or the Compilation of Many Breaches, contains more than 3.2 billion unique pairs of cleartext emails and passwords. While many data breaches and leaks have plagued the internet in the past, this one is exceptional in the sheer size of it. To wit, the entire population of the planet is at roughly 7.8 billion, and this is about 40% of that.

3. Verkada: After an international hacker collective breached its systems with a username and password found on the internet, they accessed Verkada customer cameras, which ranged from the Technoking of Tesla’s factories and warehouses to Equinox gyms, hospitals, jails, and schools.

4. RockYou2021: What seems to be the largest password collection of all time has been leaked on a popular hacker forum. A forum user posted a massive 100GB TXT file that contains 8.4 billion entries of passwords, which have presumably been combined from previous data leaks and breaches.

According to the post author, all passwords included in the leak are 6-20 characters long, with non-ASCII characters and white spaces removed. The compilation itself has been dubbed ‘RockYou2021’ by the forum user, presumably in reference to the infamous RockYou data breach that occurred in 2009 and rockyou2021.txt filename containing all passwords, when threat actors hacked their way into the social app website’s servers and got their hands on more than 32 million user passwords stored in plain text.

5. Facebook: The way Facebook handles user data continues to be a juicy topic of conversation at every dinner party. In April, 533 million Facebook users were exposed in a data breach. Experts have been raising red flags long before this incident, claiming that this privacy issue was severely under-reported. Security experts warn that leaked data could be used not only for marketing purposes but also for impersonating people and committing fraud.

6. Ticketmaster: Employees utilized unlawfully obtained passwords to hack a rival company’s computer systems. During a year where people were avoiding coughs, the ticket sales and distribution company coughed up a $10 million fine from the hack.

7. GoDaddy/WordPress: Web registrar and hosting company GoDaddy submitted a filing to the Securities and Exchange Commission (SEC), revealing that email addresses of up to 1.2 million Managed WordPress customers of the company had been accessed by an unauthorized third party.

8. ActMobile Networks: ActMobile Networks, which operates several VPN brands, continues to deny the compromise of 45 million user records that included email addresses, encrypted passwords, full name and username; 281 million user device records including IP address, county code, device and user ID; and 6 million purchase records including the product purchased and receipts.

9. DailyQuiz.me: 8.3 million. credentials were stolen from user accounts on DailyQuiz.me’s website. The attackers exfiltrated the site’s database, which was then offered for sale on underground forums and Telegram channels. The database contents include plaintext passwords, emails, and IP addresses.

10. New York City Law Department: New York City’s Law Department holds some of the city’s most closely guarded secrets: evidence of police misconduct, identities of young children charged with serious crimes, plaintiffs’ medical records and personal data for thousands of city employees. But all it took for a hacker to infiltrate the 1,000-lawyer agency’s network in June was one worker’s stolen email password.

Sherman believes that people and businesses are aware of the threats, but they just think it’s too hard, or too much of a hassle to deal with. So they “just take their chances.”

“A strong cybersecurity culture needs to come from the top down, but it can’t be accomplished without true partnership from the entire organization. The most effective way to build good cyber hygiene is by helping people understand the role they play in your company’s security, moving away from scolding and punishment for poor security practices, and making sure people have the tools necessary to be part of the final outcome: a business that can focus on its strategic goals rather than the security risks lurking around the corner,” Sherman told CyberNews.

How to make your password unguessable

If you wish to avoid someone else guessing their password, simply hiding it from everyone else won't be enough.

First, make sure to use our free password leak checker to see if your password is unique and hasn't been already leaked or cracked by threat actors.

Second, only use strong and complex passwords for all of your online accounts. You can create one yourself or, if you're in a hurry, generate it using our free password generator.

With that said, while generating complex passwords might be easy, memorizing them is usually much harder. Therefore, the best passwords are the ones that you don't have to remember at all.

For this reason, we normally strongly recommend that people use password managers. These are special tools that store all your passwords in one secure, encrypted vault. Whenever you need to enter your credentials for an account, it's just one click away.

Top 10 password offenders 2021: worst password misfortunes of the year

How to make your password unguessable

More from CyberNews: