SpyCloud finds the rate of password reuse continues to rise

More than two-thirds of passwords that have been breached in previous years are still in use, according to the 2022 SpyCloud Identity Exposure Report.  

Leader in account takeover and fraud prevention, SpyCloud, has announced its 2022 SpyCloud Identity Exposure Report, an annual report that examines trends related to exposed data. 

Through its analysis of this data, SpyCloud found that despite increasingly sophisticated and targeted cyberattacks, consumers continue to engage in poor cyber practices regarding passwords, including the use of similar passwords for multiple accounts, weak or common passwords and passwords containing easy-to-guess words or phrases connected to pop culture.

Taking password security seriously

SpyCloud researchers identified 1.7 billion exposed credentials, a 15% increase from 2020, and 13.8 billion recaptured Personally Identifiable Information (PII) records obtained from breaches in 2021.

“Reused passwords have been the leading vector in cyberattacks in recent years, and the threat of digital identity exposure is a growing problem,” said David Endler, co-founder and Chief Product Officer of SpyCloud. “The findings of our annual report show that users are still not taking password security as seriously as they should. The threat of account takeover is not enacting wholesale improvements to consumer cyber hygiene, and that’s an alarming thought given the frequency of digital identity fraud.”

Reusing passwords is causing more security breaches

SpyCloud's report found that 64% of users with multiple compromised passwords reused similar passwords for multiple accounts. More than 82% of the reused passwords analysed consisted of an exact match to a previous password, and 70% of users tied to breaches last year and in years prior are still using an exposed password. Since 2016, SpyCloud has recaptured more than 25 billion total exposed accounts with passwords.

In addition to reusing passwords for multiple accounts, the report identified a strong correlation between current events and chosen passwords. Report data showed passwords tied to numerous TV shows and movies in 2021, as well as pop and sports culture, including Britney Spears, the COVID-19 pandemic and Major League Baseball World Series Champion the Atlanta Braves.

"The pandemic left many consumers with a longing for connection to society. In the same way consumers latched on to at-home entertainment via streaming services and sporting events, many reflected their hobbies in passwords from the previous year,” Endler said. “The best defence to safeguard your company, customers and employees is to protect users from themselves by preventing them from selecting previously exposed passwords upon account creation or account password change, and monitoring for third party exposed credentials and resetting them as quickly as possible after an exposure.”

Protecting businesses from cyber attacks

SpyCloud aims to transform recaptured data to protect businesses from cyberattacks. Its products leverage a proprietary engine that collects, curates, enriches and analyses data from the criminal underground, driving action so enterprises can proactively prevent account takeover and ransomware, and protect their business and consumers from online fraud. 

The company’s customers include four of the ten largest global enterprises, mid-size companies, and government agencies around the world. Headquartered in Austin, TX, SpyCloud is home to over 150 cybersecurity experts who aim to make the internet a safer place.

SpyCloud’s database of over 145 billion assets represents data available to criminals for identity fraud attacks. While most individuals have had personal information exposed on the criminal underground, not all users are equally at risk, with exposures varying substantially by the types of data exposed, the recency, and the method of compromise.