2020 was an unprecedented year in many ways, and data breaches were no exception. According to fraud detection vendor SpyCloud's 2021 Annual Credential Exposure Report, there were 33% more breach sources in 2020 compared to 2019. Of those breaches, there were at least 1,486,416,779 stolen credentials in 2020 alone. Here's a look at the top data breach trends of 2020, how risky password behavior compounded their impact and how businesses can protect critical data in an increasingly risky environment.
2020 introduced dangerous data breach trends
According to Spycloud's report, the boundaries between employees' work and personal digital lives blurred in 2020. An uptick in the overlap between personal and corporate data collected in botnet logs indicated that employees are increasingly using personal devices for work and corporate devices for play. This is a concern because IT traditionally manages corporate-owned devices, but not personal devices. If an employee accesses the company's systems with a compromised device, cyber attackers have a glide path right into the corporate network.
In November 2020, 23,600 hacked databases were leaked from a defunct “data breach index" called Cit0day, a popular service on the dark web where cyber attackers can access leaked data. This superbreach bundled a collection of older data breaches into a convenient package for malicious actors, making it easier for them to stage credential stuffing attacks using stolen credentials. In these credential stuffing attacks, cyber attackers attempt to use stolen login and password information associated with one account to log into a different account.
Supply chain attacks also represented one of the major data breach trends of 2020. At the close of the year, it was revealed that bad actors had used SolarWinds' update service to slip in a Trojan Horse that allowed them to infiltrate over 17,000 enterprises and government agencies including the U.S. Department of Homeland Security, the U.S. Treasury Department and Microsoft.
Risky password behavior made businesses vulnerable in 2020
Risky password behavior compounded the impact of these data breach trends. According to the Spycloud report, 106 million users had at least two passwords exposed in 2020. Within this group, 60% of users had re-used at least one password across more than one account and 97.4% of them re-used passwords that were an exact match. An additional 1.8% of users simply added one or two numbers at the end of the password.
Sometimes employees used weak passwords that are incredibly easy to guess or crack. According to Spycloud's research, the password '123456789" was found over 3.6 million times in data breaches. Another popular password, unfortunately, was "password" itself. It showed up 1.2 million times.
These password trends should serve as a warning to businesses. The average person, if exposed just once, will ultimately be included in eight to ten breaches, three to four of which could take place within a given year. An employee could easily put business data at risk by re-using passwords across multiple accounts, including their work accounts. Case in point: 150,000 security cameras at a Silicon Valley security company were hacked earlier this year because a single password was compromised.
Hashing algorithms can protect PII data, but they have limitations
With the dark web awash in billions of personally identifiable information (PII) assets such as stolen login credentials, it's important for businesses to know how they can protect this information in the event it is breached. As Spycloud notes, the industry standard is to hash stored passwords and other sensitive data so malicious actors can't easily decipher them. Accordingly, businesses should safeguard corporate, employee and customer data by modernizing their password hashing techniques.
Even the most sophisticated hashing algorithm cannot adequately shield data when users choose weak or common passwords, however. Here, too, we see the consequences of poor password behavior. When PII data is compromised, criminals can use it to make credit card purchases and help themselves to funds in financial accounts. This is as true for a company's financial accounts as it is for the employees' own personal financial accounts.
A business password manager helps businesses reduce cybersecurity risk
Sometimes fear of forgetfulness drives bad password behaviors — after all, with so much of our work and personal lives taking place online, it's more important than ever to be able to access our accounts. Businesses can address this concern by providing employees with a good password management tool. With a password manager, employees can simply store all of their passwords in an encrypted vault and then securely access them from any device. Whenever they need to log into an account, the password manager will automatically fill it in for them.
A business password manager also addresses the most risky password behavior Spycloud observed in 2020, alerting employees when they are re-using the same password for multiple accounts or when they are using weak passwords on any of their accounts. Rather than forcing them to conjure up an appropriate password on their own, this password management tool can generate a unique, secure password for every account that needs one.
Dark web monitoring alerts employees when their credentials have appeared in a breach, giving them an opportunity to reset the password on a compromised account before it can be accessed or used in a credential stuffing attack. Lastly, a business password manager can give IT visibility into users' password behavior and enforce password policies so the business, its employees and customers are not at needless risk.
Protect your business from these data breach trends with strong password management
Cyber attackers are waging increasingly ambitious campaigns on a larger scale. The data breach ripple effect combined with risky password behavior has made businesses more vulnerable than ever. Companies can protect themselves, their employees and their customers with smart password management tools. By taking this proactive step, they can more confidently manage the risks of an increasingly dangerous cyber threat landscape.
Learn how a business password manager can help protect your business from data breaches.