According to Verizon’s 2022 Data Breach Investigations Report:
- Over 80% of hacking-related breaches involved stolen or weak passwords.
- Password-related issues are a significant factor in cybersecurity threats.
- 81% of hacking-related breaches were caused by the use of stolen passwords.
- Weak passwords were also a contributing factor to these breaches.
- The use of stolen or weak passwords makes it easier for hackers to gain unauthorized access to sensitive information.
Past Data Breaches Caused by Weak Passwords
The consequences of a data breach can be severe, resulting in not only financial losses but also damage to a company’s reputation and loss of customer trust. According to the 2022 Cost of a Data Breach Report by IBM Security and Ponemon Institute, a data breach in the US costs an average of $9.44 million, and globally it costs an average of $4.35 million. Below are some alarming incidents that occurred in recent years, all caused by weak passwords:
- Microsoft, March 2021: Suffered a cyberattack by Chinese hacking group Hafnium, targeting hundreds of thousands of on-premises servers using stolen passwords, and creating web shells around them to remotely steal email data.
- Verkada, March 2021: Security cameras of over 5,000 customers were breached by hackers using an admin password leaked online in a misconfigured customer support server, and 16 customers had credentials breached.
- New York City Law Department: Attacker accessed sensitive information of thousands of city employees, evidence of police misconduct, medical records for plaintiffs, and the identities of children charged with serious crimes using a single employee’s stolen email account password due to lack of multifactor authentication compliance.
- GoDaddy: Security breach compromised the accounts of over a million of its WordPress customers, with attackers using a compromised password to hack into the provisioning system in the company’s legacy code for Managed WordPress, and access was blocked after two months.
- Zoom, 2020: The video conferencing platform Zoom faced backlash after several reports of “Zoom-bombing” – uninvited attendees disrupting meetings – surfaced. The issue was caused by weak passwords and the lack of a password policy.