Over and over and over again we hear the same old story…change your password…use a strong, hard to guess password…don’t use the same password twice. Your reaction is probably something like this. “But it’s too hard to remember all the passwords I have for my work email, my social media accounts, my bank account, Amazon, Netflix, my Uber Eats, etc. If one of those gets hacked, how will anybody know what other accounts I have? It’s just easier to use the same password.”
If any of the accounts for which you have access is hacked, that password is DONE. They can use the same username and password on any other site – social media, shopping, banking, etc. Or even an email account and send emails out as you.
If you used your work email address as your username, the cyber criminal can just go to your company page and enter that username (email) and password and they’re in your network. If you used a different username, they can look you up on LinkedIn, Facebook or Google to find out where you work. The format for email addresses is usually easy to figure out and they try the password that was on the Dark Web from your account that was hacked.
Does this really happen? Yes, as a matter of fact, it happens ALL THE TIME! If it didn’t, the Dark Web would not be full of email addresses and passwords.
Agari Cyber Intelligence Division (ACID) conducted a study of 8,000 credentials on phishing sites and found that 20% of the accounts were accessed by threat actors within the first hour of posting while 91% were accessed within the first week.
Real-world disastrous examples have flooded the airwaves and affected our pocketbooks in just the last two months. The Colonial Pipeline ransomware attack was initiated after a compromised username and password were exploited. Although it was an account that was no longer used, it was still active (that is, it had not been deleted from the system). Likely what happened was that a Colonial Pipeline employee had used the same password that they used on their work account on another account that was hacked.
The list of solutions include:
- 1 – Employees should NOT use the same password for all accounts
- 2 – The IT department must delete accounts once they are no longer needed
- 3 – MultiFactor Authentication (MFA) must be used so even if a username and password are compromised, not having the MFA info would keep them out
So make your life easier and your business safer, use different passwords for every account and use MFA wherever you can.