SpyCloud’s annual Identity Exposure Report found that 70% of previously breached passwords are still in use -- a clear warning that password hygiene is still alarmingly lax.
The report draws on a combination of human intelligence and analysis of SpyCloud’s database of recaptured assets. Researchers identified 1.7 billion exposed credentials -- a 15% increase from the prior year -- and 13.8 billion recaptured personally identifiable information (PII) assets obtained from breaches in 2021.
Findings pointed to a range of poor password practices, including using weak, common, or easy-to-guess passwords, that expose consumers and companies to cyberattacks or fraud. For example, among exposed plaintext credentials, researchers uncovered 45 million instances of “pass,” 12.7 million of “123456,” and 7.5 million of “password.”
Reusing weak passwords across multiple accounts poses a particularly elevated risk. Individuals frequently own hundreds of online accounts, so when one credential is compromised, every account with the same or a similar password could be subject to takeover. In 2021, 64% of users exposed in two or more breaches reused compromised passwords across multiple accounts -- a four-point increase from last year’s report. More than 82% of the reused passwords analyzed were exactly the same (not even a slight variation like a number or special character added).
With so many accounts to keep track of, users are often unaware of their level of exposure. Account holders that don't regularly change passwords could unwittingly leave credentials in place long after they have been compromised.
The report also revealed a strong correlation between compromised passwords and current events and pop culture. Password choices that reflect common interests are often easier for criminals to guess. The titles of popular Marvel shows like Loki and WandaVision were used in over 650,000 exposed credentials. About 52,000 passwords were connected to Britney Spears or the Free Britney movement. Politics, sports, and the COVID-19 pandemic were common themes across report data.
The risks of bad password hygiene were demonstrated in the diversity of PII assets analyzed in the report. In addition to account credentials, criminals targeted names, addresses, phone numbers, marital status, dates of birth, and more. Extensive personal information is dangerous in the hands of criminals because it can be used to bypass common identity verification practices like multifactor authentication.
Finally, the SpyCloud Identity Exposure Report highlighted the growing threat of malware fraud. Researchers identified botnet logs from malware-infected devices, which can give criminals an all-access pass to a user’s online presence. Using malware to siphon everything from browser-saved passwords to detailed browser fingerprints, web session cookies and other data, criminals can bypass authentication altogether.
Despite these concerning trends, the report underscored the importance of responsible password behavior. With cyber threats on the rise, consumers and companies alike must take proactive steps to protect themselves. Those steps include using tools like password managers and proactive compromised asset monitoring services. Users should also employ complex, hard-to-guess passphrases and exercise caution with unverified links, attachments, and applications that could contain malware.