The biggest password flubs of 2019, from Facebook's stolen hard drives to Lisa Kudrow's Instagram

Advertisement
The biggest password flubs of 2019, from Facebook's stolen hard drives to Lisa Kudrow's Instagram
Mark Zuckerberg

Josh Edelson/AFP/Getty Images

Advertisement
  • These are 2019's "worst password offenders," according to password manager Dashlane, which compiled a list of high-profile data security missteps from the past year.
  • Facebook, Google, and WeWork all made the list for mistakes that resulted in passwords being left exposed.
  • Actress Lisa Kudrow also made the list for accidentally posting a photo of her password written on a sticky note to Instagram.
  • Visit Business Insider's homepage for more stories.

2019 was a messy year in cybersecurity, with data breaches on the rise and hackers finding new ways to exploit weak passwords.

The vast majority of breaches occur due to human error. To commemorate some of the most egregious cybersecurity errors of the past year, password manager Dashlane recognized 2019's "Worst Password Offenders" in a list published Tuesday.

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More

Multibillion-dollar tech giants like Facebook, Google, and WeWork made the list for security breaches that affected thousands of users, while celebrities like Ellen DeGeneres and Lisa Kudrow were featured for high-profile password flubs.

Keeping up good password habits can feel inconvenient, but taking just a few straightforward steps can prevent your accounts from becoming low-hanging fruit for hackers.

Advertisement

Here's who made Dashlane's list of the 2019 Worst Password Offenders, along with the backstories behind their password infamy.

Exclusive FREE Slide Deck: 40 Big Tech Predictions for 2019 by Business Insider Intelligence

{{}}

10. People named Ashley

10. People named Ashley

Your password should never be a single, easily-guessed word, especially one that's traceable to your identity — for that reason, using a first name as a password is a huge mistake, security-wise.

That didn't stop 432,276 people from using "Ashley" as their password, according to a study published by the UK National Cyber Security Centre in April. "Ashley" was the most common name password, followed by "Michael," "Daniel," and "Jessica."

9. Ellen DeGeneres

9. Ellen DeGeneres

The "Ellen" host's official Instagram account was hacked in August, and hackers used it to promote fake giveaways, according to Deadline. In a possibly-joking tweet, DeGeneres wrote that hackers likely guessed her account password, which was "password."

My Instagram account was hacked last night (despite my clever password “password”). We apologize, and we thank everyone who brought it to our attention. I’m going back to sleep now.

— Ellen DeGeneres (@TheEllenShow) August 23, 2019
Advertisement

8. Shenzen i365 GPS Tracker

8. Shenzen i365 GPS Tracker

More than 600,000 GPS trackers sold by the Chinese company Shenzen i365 on Amazon had major security vulnerabilities, Avast found. The GPS trackers were marketed to parents to keep track on their kids, but all the trackers came with a default password "123456" — any hackers who could guess the password could remotely log into users devices and lock owners out.

7. Virgin Media

7. Virgin Media

When a cybersecurity researcher was trying to reset his Virgin Media password earlier this year, he found that Virgin sent his password in plain text via email — a startlingly unsecure way to communicate passwords without encryption. After he notified Virgin of the vulnerability on Twitter, Virgin's official Twitter account responded with a Tweet that seemed to brush off the complaint:

"Yes, because criminals don't break laws, right?" Matthew Hughes quipped in The Next Web. "By that logic, why should I lock my front door? After all, burglary is illegal."

Posting it to you is secure, as it's illegal to open someone else's mail. ^JGS

— Virgin Media (@virginmedia) August 17, 2019
Advertisement

6. Elsevier

6. Elsevier

A cybersecurity researcher found that Elsevier, which publishes scientific and medical journals, had stored people's usernames and passwords in plain text on an unprotected server on their website, meaning anyone who found the page could instantly access the passwords. The company told VICE that the exposure was due to human error and that it would notify all parties affected.

5. WeWork

5. WeWork

The embattled real-estate startup reportedly used a single password for its entire global WiFi network, according to Fast Company. The outlet didn't disclose what the password was, but noted that it "has regularly appeared on lists of the worst passwords that anyone can possibly choose." WeWork reportedly declined Fast Company's request for comment.

Advertisement

4. Congressman Lance Gooden

During Mark Zuckerberg's testimony before the House of Representatives in October, footage from the chamber caught Texas Republican Lance Gooden entering his phone password, which appears to be "777777."

Gooden addressed the footage on Twitter, joking that he has the same password practices as Kanye West, who appeared to input "000000" as his iPhone password during a White House meeting with President Trump.

Change Passcode Now

Watch and share Technology GIFs and Politics GIFs on Gfycat

Just another thing @kanyewest and I have in common. https://t.co/Vcffb2euxG

— Lance Gooden (@Lancegooden) October 24, 2019

3. Lisa Kudrow

3. Lisa Kudrow

The "Friends" star went mildly viral in May when she posted a selfie with her computer. The post was meant to show off a Deadline article about her next role, but included a sticky note featuring her password written in pen.

After fans pointed out the mistake, Kudrow removed the post, but later made a similar, joking post featuring a sticky note displaying her "new password."

Advertisement

2. Google

2. Google

Google announced in May that it had stored some G Suite users' passwords in unencrypted plain text since 2005.

"'Accidents' like this have major implications for platforms and their users; breaches can go undetected for years, so you never know when an account might have been exposed," Dashlane wrote in its post naming Google the second-worst password offender of 2019.

At the time, Google apologized in a blog post for failing to "live up to our own standards."

1. Facebook

1. Facebook

Dashlane cited three incidents that placed Facebook at the top of its "Worst Offenders" list: Facebook admitted to exposing hundreds of millions of passwords in March, and in April the company said it had harvested users' contacts without consent. Then, in September, Facebook admitted to a separate instance of exposing users' phone numbers.

"For a company under increasing scrutiny for how it handles (or mishandles) user data and security, it sure needs a poke in the ribs," Dashlane wrote.

Advertisement
Next StoryMark Zuckerberg's semi-dormant Twitter account followed 1 person this entire year