Top 10 worst password offenders of 2021

As 2021 is celebrating the 60th anniversary of the computer password's invention, Dashlane has announced its sixth annual list of 2021's Worst Password Offenders.

After the events of the past year-plus forced us to live our lives online, we may have expected that both companies and users alike would have sharpened their security skills to better control fraudulent activity and avoid breaches.

"If companies don't start implementing positive password practice across their organisation, the breaches are only going to get bigger and more dreadful," said JD Sherman, CEO of Dashlane. "If your company were a car, you wouldn't step away without rolling up the windows and locking the doors. Yet, computer users seem to be leaving cars running and keys in the ignition. Much of the nuisance associated with good password hygiene is taken care of by a password manager like Dashlane."

Let’s take a look at the top 10

10. New York City Law Department: New York City’s Law Department holds some of the city’s most closely guarded secrets. But all it took for a hacker to infiltrate the 1,000-lawyer agency’s network was one worker’s stolen email password. 

9. DailyQuiz.me: 8.3 million credentials were stolen from user accounts on DailyQuiz.me's website. The attackers exfiltrated the site's database, which was then offered for sale on underground forums and Telegram channels. The database contents include plaintext passwords, emails, and IP addresses. 

8. ActMobile Networks:  In October 2021, security researcher Bob Diachenko discovered an exposed database he attributed to ActMobile, the operators of Dash VPN and FreeVPN. The exposed data included the compromise of 45 million user records that included email addresses, encrypted passwords, full name and username; 281 million user device records including IP address, county code, device and user ID; and 6 million purchase records including the product purchased and receipts. ActMobile denied the data was sourced from them. 

7. GoDaddy/WordPress: In 2021, the data of up to 1.2 million of its customers was exposed after hackers gained access to the company's managed WordPress hosting environment. 

6. Ticketmaster: Employees utilised unlawfully obtained passwords to hack a rival company's computer systems, the ticket sales and distribution company had to pay a $10 million fine from the hack. 

5. Facebook: Data from 533 million people in 106 countries was published on a hacking forum in April. Facebook said the data was old, from a previously reported leak in 2019. It has denied any wrongdoing, saying that the data was scraped from publicly available information on the site.

4. RockYou2021: A forum user posted a massive 100 GB TXT file that contained 8.4 billion passwords.

3. Verkada: After an international hacker collective breached its systems with a username and password found on the internet, they accessed Verkada customer cameras, which ranged from Tesla factories and warehouses to Equinox gyms, hospitals, jails, and schools. 

2. COMB:  The "Compilation of Many Breaches." COMB is the result of an online hacking forum posting over three billion unique emails and passwords gathered from past leaks at Netflix, LinkedIn, Bitcoin, and more. With 4.7 billion people online, COMB included the data of nearly 70% of global internet users.

1. SolarWinds: In February 2021, both current and former SolarWinds execs blamed an intern for using the password solarwinds123, which was leaked online. 

It’s not immediately clear whether the password played a role in the devastating supply-chain attack that saw up to 18,000 businesses compromised by a version of the Orion security platform that was loaded with malware. SolarWinds, however, denies any connection, having determined the credentials using that password were for a third-party vendor application and not for access to the SolarWinds IT systems.