Anyone with a social media account has at some point encountered blatant spam followed by a “sorry everyone, someone hacked my account” post from one of their friends. Unless this friend in question is some celebrity, it is extremely unlikely that they were specifically targeted in a hack. Instead, these types of account takeovers are usually caused by the victim using the same password with another account on a site that was compromised.
When you re-use a password, all accounts that share those credentials become as vulnerable as the weakest link. Github recently reset the passwords for a large number of accounts after detecting that a number of their users were victims of a password dump from a completely unrelated service. Earlier in the month, attackers took over Mark Zuckerber’s Twitter and Pinterest accounts, claiming to have used his credentials from the LinkedIn password dump a few weeks before.
Password dumps are a common form of attack and aren’t always as public as the aforementioned LinkedIn credential dump that leaked more than 100 million credentials. Just this week, 45 million more credentials were leaked from relatively niche sites like motorcycle.com and mothering.com. You won’t always know when one of your passwords becomes public knowledge. It’s even possible that a site you own an account on is the one doing the bad deeds, as humorously described in this XKCD comic.
Users should always use unique passwords wherever possible, especially for critical accounts like email and banking services. Users should also change their passwords on a regular basis to mitigate undisclosed password dumps. That said, creating and remembering dozens of complex passwords can be very difficult. I highly recommend the use of password managers like LastPass or KeePass to help in that regard. Password managers allow you to create and save strong unique passwords for every account while only needing to remember a single complex master password to unlock them all. When paired with a second authentication factor like a fingerprint to go with the master password, password managers are an excellent tool to increase your security and prevent you from falling victim to the next dump of credentials. –Marc Laliberte
Mark Nichols says
And if you are not using two-factor, add randomness to your primary password with something like diceware… https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/