The Worst Password Hacks Of All Time

2012 was a good year for password hackers - and a tough year for the rest of people. In the first half of the year at least 18 million passwords were exposed in just seven cyberattacks. And with more people - and more hackers - online than ever before, massive hacks seem to be the here to stay. A combination of weak passwords and poor encryption has led to some of the worst password hacks is history. Learn how many people were impacted by these attack and how they happened.

SONY PLAYSTATION NETWORKS & ONLINE ENTERTAINMENT HACK

April 2011: 100 million users' personal information exposed

Sony Group Corporation, abbreviated as SONY, is a Japanese multinational conglomerate headquartered in Minato, Tokyo. As a major technology company, it is one of the world's largest manufacturers of consumer and professional electronic products, as well as the largest video game console manufacturer and publisher. It is one of the largest music companies (largest music publisher and second largest record label) and the third largest film studio through Sony Entertainment Inc, making it one of the most comprehensive media companies. It is Japan's largest technology and media conglomerate. It is also known as Japan's most cash-rich company, with net cash reserves of 2 trillion yen.

What happened

Passwords, account information and credit card numbers for all 77 million of Sony's PlayStation Network users were compromised in April. Sony was criticized for not informing users sooner, and the network was temporarily shut down. In May, it was discovered Sony Online Entertainment was also been hacked, compromising 24.6 million users' data. 

How It happened

One of the Network's most sensitive databases was accessed. Information from an outdated 2007 database was hacked in the Online Entertainment attack.

Possible culprits

Hacking group Anonymous reportedly named Sony as a target shortly before the attacks, but denied involvement. More likely to be a cyberthief seeking to profit.

Cost

An estimated $170 million.

Advertisement:

ROCKYOU HACK

December 2009: 32.6 million user password & email addresses exposed

RockYou was a company that created MySpace widgets as well as applications for various social networks and Facebook. Since 2014, it has primarily purchased the rights to classic video games; it incorporates in-game advertisements and re-distributes the games. 

What happened

A hacker accessed all of RockYou's accounts. RockYou Reportedly failed to notify users, then downplayed the incident. The list served as an invaluable resource for hackers, providing real-world data on the kind of passwords people use.

How It happened

User data was reportedly stored in highly insecure plain text format.

Cost

RockYou paid a $250,000 penalty to the Federal Trade Commission for violating regulations on the protection of children

Advertisement:

LAST.FM HACK

June 2012: 17.3 million user passwords hacker

Last.fm is a music website founded in 2002 in the United Kingdom. Last.fm creates a detailed profile of each user's musical taste by recording details of the tracks the user listens to, whether from Internet radio stations, the user's computer, or many portable music devices, using a music recommender system called "Audioscrobbler." This information is transferred ("scrobbled") to Last.fm's database either through the music player (such as Spotify, Deezer, Tidal, MusicBee, SoundCloud, and Anghami) or through a plug-in installed in the user's music player. The data is then displayed on the user's profile page and compiled to create individual artist reference pages.

What happened

Announced during the "Week of Leaks," in which eHarmony and LinkedIn were also hacked. However, the hack may have occurred a year before, with the hashes appearing on a hacking forum in 2011. All users were asked to reset their passwords.

How It happened

Rumor has it 95% of hacked passwords were cracked from an easy-to-break MD5 encryption.

Advertisement:

LINKEDIN/EHARMONY HACK

June 2012: 8 million user passwords leaked

LinkedIn is an American online business and employment service that operates through websites and mobile apps. The platform, which was launched on May 5, 2003, is primarily used for professional networking and career development, and it allows job seekers to post their CVs and employers to post jobs.

Eharmony (also spelled eHarmony) is a dating website that debuted in 2000. Nucom ecommerce, a joint venture of German mass media company ProSiebenSat.1 Media and American private equity firm General Atlantic, owns eHarmony and is headquartered in Los Angeles, California. 

What happened

An estimated 1.5 million eHarmony passwords and 6.5 million LinkedIn passwords were posted in encrypted hash codes on a Russian web forum. Users also received emails asking them to click to verify their email addresses.

How It happened

With LinkedIn numbering 160+ million users, it's believed the culprit cracked only the easiest passwords.

Cost

$500,000-$1 million for forensic work on the hack; $2-$3 million in LinkedIn security upgrades.

Advertisement:

GAWKER HACK

December 2010: 1.25 million user accounts hacked

Gawker Media LLC (formerly Blogwire, Inc. and Gawker Media, Inc.) was a blog network and online media company based in the United States. It was founded in October 2003 as Blogwire by Nick Denton and was based in New York City. Gawker Media, based in the Cayman Islands, was the parent company for seven different weblogs and numerous subsites as of 2012: Gawker.com, Deadspin, Lifehacker, Gizmodo, Kotaku, Jalopnik, and Jezebel. The Creative Commons attribution-noncommercial licence governs all Gawker articles. The company changed its name from Blogwire, Inc. to Gawker Media, Inc., and then to Gawker Media LLC shortly after.

What happened

Gawker Media servers were hacked and account information, along with a 20,000-word manifesto, was available by BitTorrent. A Twitter virus was reportedly connected, Employee usernames and passwords, including founder Nick Denton's information, was released. 

How It happened

Passwords were protected with Data Encryption Standard, weak enough that hackers could learn the first 8 characters of a password.

Culprit

Hacking group Gnosis, possibly in retaliation for the site's coverage of 4Chan and/or hacking group Anonymous.

Advertisement:

YAHOO HACK

450,000 user passwords & emails hacked

Yahoo! is a web services provider based in the United States. It is headquartered in Sunnyvale, California, and is operated by Yahoo Inc., which is 90% owned by Apollo Global Management investment funds and 10% owned by Verizon Communications.

It offers a web portal, the search engine Yahoo Search, and a variety of related services such as My Yahoo!, Yahoo Mail, Yahoo News, Yahoo Finance, Yahoo Sports, and its advertising platform, Yahoo! Native.Yahoo was founded in January 1994 by Jerry Yang and David Filo and was a pioneer of the early Internet era in the 1990s. 

What happened

Hackers claimed they were just trying to expose weaknesses in Yahoo!'s online security. Some non-Yahoo IDs may have been breached, as well.

How It happened

Likely breached Yahoo! Voices server using an SQL injection hack. Passwords may not have even been encrypted, hackers said.

Culprit

D33Ds Company, hacking group.

Advertisement:

HOW PASSWORDS ARE HACKED

• 50% of passwords use dictionary words, slang, or common number/letter arrangements like "12345"
• In 17 minutes, hackers can break into 1,000 accounts by taking advantage of weak passwords + automated attacks
• 60% of people use the same password on multiple sites, making them more vulnerable

Most common passwords in LinkedIn theft:

1. link
2. 1234
3. work
4. god
5. job
6. 12345
7. angel
8. the
9. ilove
10. sex

Choosing smart passwords and varying your passwords between sites is your first defense.

 

Advertisement: