A gang of Russian hackers recently stole more than 1 billion usernames and passwords, and they likely got help from an unlikely accomplice: you.
Our habit of using the same passwords over and over makes it relatively simple for hackers to commit identity theft by connecting all of those stolen credentials to sensitive accounts, such as email or online banking, according to E.J. Hilbert, a former FBI cyber agent and current managing director for Kroll, a computer security firm.
“You’re making the hackers' job a lot easier because that one password is not just the key to one website. It’s the key to everything,” Hilbert said.
The Russian hackers amassed all those credentials by buying stolen passwords on the black market and by using botnets, or networks of infected computers, to test which website databases were vulnerable to being hacked, according to the cybersecurity firm Hold Security, which disclosed the theft Tuesday. The hackers stole usernames and passwords from 420,000 websites, the firm said.
Which websites they stole from may not matter, because most consumers reuse the same log-in credentials across the web. Studies have found that about two-thirds of consumers use the same username and password for multiple online accounts.
"This is what hackers rely on," Hilbert said. "They know you use the same password over and over again.”
The first thing hackers do after stealing large caches of usernames and passwords is run an automated program that tests whether the log-in credentials will work on various popular websites, Hilbert said.
“They use that login for Gmail, for Facebook and for Twitter to see if they can gain access,” Hilbert said. “Then they’ll say, 'If it works on Gmail, let’s see if it works on a bank account.'”
Tech companies also know you reuse passwords, and some are trying to use that information to help you out. In November, after Adobe got hacked, Facebook sorted through a public database of millions of leaked Adobe accounts that were posted online. If any Adobe credentials matched those of a Facebook account, the social network sent alerts to those users, urging them to change their passwords immediately.
Experts say you don’t have to use a different password for every single account. They recommend using easy passwords like “123456” on sites that don't require credit cards or access to anything personal, and saving your mental bandwidth for remembering complex passwords on accounts that matter more, such as online banking.
Of course, some people may still find it hard to remember even just a few passwords. That’s why security experts suggest using password managers that not only remember your passwords for you, but also create strong passwords that are hard for hackers to crack.
There are numerous password managers on the market that allow you to keep all your accounts behind one account.
“All you have to do then is remember one master password,” said Graham Cluley, an independent security expert. “This is what I do, and it's why I don't need to remember what my email password is, or my Twitter password is, etc. ... I have a program that does it for me.”