Attempts to steal passwords have shot up in the past few years. In 2015, Microsoft’s security team detected 115 every second. That has now risen to over 4,000 – a rise of more than 3,370 per cent. Hackers continue to target passwords because – deep down – humans are predictable. Too many of us use the same passwords over and over again, despite all the security advice telling us it’s a terrible idea.
In this feature we’ll give you a complete password audit, so you can see which ones have been stolen and what you must do to make your new ones unhackable. We reveal a password-creation technique that’s served us well over the years, and it’s more sophisticated than replacing the letter 0 with zeroes, and the number 3 with pound signs. We’re sure you have your own similarly ingenious methods – so please let us know.
We also explain how to prepare for passkeys, which are rapidly replacing passwords. You can now use these in password managers to sign into your Microsoft, Google and Apple accounts, and into many websites. We know some of you are unsure about the security and convenience of passkeys, but the tech industry is adopting this technology so quickly that we have no choice but to learn how to use them.
Our advice should help protect you from the worst consequences of password theft, even if your accounts appear in data leaks. Talking of which, we start with the nine deadliest hacks of recent months. If you suspect you’ve been affected, take action straight away.
NINE RECENT HACKS YOU MUST KNOW ABOUT
Dell customer database
April 2024
Customers affected 49m
As we reported in Issue 684’s ‘Question of the Fortnight’ (page 10), a hacker called Menelik claims to have stolen 49 million customer records (2017-2024) from Dell, and put them up for sale on the dark web. The data comprises names, addresses and purchase details, but not payment details, emails accounts or phone numbers. Dell emailed affected customers (pictured below), saying there’s no “significant risk”.
Facebook Marketplace accounts
February 2024
Customers affected 200,000
Account details of 200,000 Facebook Marketplace users were stolen in February, including names, mobile numbers, email addresses and IDs. The hackers claim it was stolen not from Facebook itself, but from the system of a contractor working for Meta (which owns Facebook, WhatsApp and Instagram). Because the data includes mobile numbers, hackers might be able to intercept two-factor authentication codes sent to phones. Meta hasn’t commented on the leak, so it’s difficult to tell who’s been affected.
Roku customer details
March/April 2024
Customers affected around 570,000
Roku was hacked in both March and April. Hackers took known passwords and email addresses for other services and fed them into Roku’s login forms, unlocking Roku accounts where the same details had been used. This let them purchase Roku devices and streaming services.
It’s important to note that Roku was a victim here, rather than the source of the leak. It’s a reminder to not use the same password for multiple sites or services. Roku
