The year 2017 saw more than its fair share of data breaches, leaks and serious security incidents that rocked the globe, with confidential and sensitive data pilfered by hackers. As security experts have long warned, strong and secure passwords are one of the most basic security practices one can implement to safeguard data online.
However, people still rely on simple, easy-to-remember strings of characters to secure their online accounts, digital identities and personal information – including high-profile officials and major companies across the globe.
Digital security firm and password manager Dashlane has listed some of the government officials, major companies and notable figures that suffered the most embarrassing password-related gaffes this year.
"While the violators on this list vary, they all showcase that common password mistakes can cause great embarrassment and economic loss, and that the aftermath of a breach can often be prevented," Dashlane said. "Most people make the same simple errors that these offenders made, such as using weak passwords or reusing passwords for multiple accounts."
US President Donald Trump topped the list this year "for good reason", according to Dashlane, due to his approach to cybersecurity and the poor security practices of key officials in his administration.
An investigation by UK's Channel 4 News in January found that a number of Trump's handpicked officials – including his cybersecurity advisor Rudy Giuliani – used simple and dangerously unsecure passwords across multiple plaforms and websites, including their personal email accounts.
Others on the list included the UK government over its MPs' poor security practices, HBO due to its slew of leaks this year and the US Department of Defense.
Here are the worst password offenders of 2017, according to Dashlane:
1. Donald Trump
"As a person who has continually lamented the cybersecurity woes of his opponents, and trumpeted his own, his leadership in this area leaves much to be desired," Dashlane said.
This year, a number of websites linked to the Trump Organization were compromised, leading many to express serious concerns over the security of his personal accounts, including his active Twitter account.
It was reported that Russia-linked hackers managed to break into the Trump Organization's computer networks back in 2013 and created at least 250 shadow domains for potential future malware attacks. An Associated Press (AP) investigation revealed that hackers also hijacked at least 195 web addresses linked to Trump, his family and business empire four years ago.
"This revelation is not to be taken lightly, and signals that a president who touts his cybersecurity prowess may have added numerous cyber vulnerabilities to the nation's highest office," Dashlane added.
In September, Equifax revealed a massive data breach that compromised the personal and valuable financial data of 145.5 million American customers, 700,000 British consumers and 100,000 Canadian users. The company has since been hit with lawsuits and intense political scrutiny over its security practices, the disclosure of the breach and its handling of the aftermath.
"Although the cause(s) of the breaches are still unknown, it's clear that Equifax's egregious password practices put the personal information of millions around the world at risk," Dashlane said.
3. UK government
In June, an investigation by The Times found that hackers were trading the log-in details of 1,000 British MPs, parliamentary staff and Foreign Office officials on Russian-speaking hacking websites, including those of the head of IT at the Foreign Office.
The Times reported that one senior politician used the name of their home country as their password followed by a number. One of the most popular passwords used by officials was "password".
Following the 12-hour-long cyberattack targeting the British Parliament in June, it was revealed that accounts with "weak" passwords that "did not conform to guidance" were targeted. Several British MPs recently admitted they often share their passwords with staffers.
4. US Department of Defense
In June, security experts discovered that a trove of highly sensitive US government intelligence files was left exposed on an unsecured Amazon server by defence contractor Booz Allen Hamilton. About 60,000 Pentagon files were leaked, including several unencrypted passwords of US government contractors.
5. US Republican Party
Deep Root Analytics, an analytics firm linked to the Republican Party, accidentally exposed the personal details of 198 million Americans on an unsecured server. The database included more than 25 terabytes of personal data and records from the presidential campaigns of 2008, 2012 and 2016.
A massive phishing scam hit Google account holders in May that compromised an unknown number of users' credentials. The campaign involved a phishing email with a malicious link that redirected users to a Google sign-in screen and asked them to authorise permission to access shared documents. Instead, the page swiped users' login credentials.
"Your favourite Sunday night line-up provider was hit by a variety of hacks and breaches in 2017. These ranged from the leaks of episodes and stars' personal information, to the network's social media accounts getting hacked," Dashlane said.
Staffers later revealed some questionable cybersecurity practices at the company, including the reuse of passwords across both personal and work accounts.
Last month, Imgur said it suffered a data breach in 2014 that compromised the email addresses and passwords of 1.7 million user accounts. At the time of the hack, the company used the outdated SHA-256 hashing algorithm to encrypt users' passwords that was exploited by hackers.
9. Paul Manafort
Trump's recently indicted former campaign manager and international lobbyist Paul Manafort was found to be using James Bond as his source of inspiration for his passwords. Researchers discovered that he used "Bond 007" as his password for multiple accounts, including Dropbox and Adobe.
10. Sean Spicer
Former White House Press Secretary Sean Spicer famously posted a string of characters on Twitter in January which many took to be his own password.
"It may seem easy to call out the unhealthy habits of public figures," Dashlane noted. "But if you've found yourself committing any of the same cybersecurity sins as the offenders on our list, you are at risk too."