What is considered valuable in terms of personal information has continually shifted definition for decades. At the Identity Theft Resource Center, educating consumers about the value of personal information is one of our top priorities. We often find that many consumers are unaware that having your Social Security number (SSN) exposed in a data breach is far more dangerous than having credit card or debit card information exposed. In addition to your SSN, other personal information that is regularly overlooked are login credentials (i.e. usernames and passwords), which can lead to other information being stolen using a method referred to as “credential cracking.” This form of hacking is very widespread and more insidious than most Americans realize.
The Open Web Application Security Project defines “credential cracking” as a method that cybercriminals use to “identify valid login credentials by trying different values for usernames and/or passwords.” This is important considering that, according to the 2017 Verizon Data Breach Incident Report, 80 percent of hacking related data breaches were carried out using either stolen passwords and/or weak or guessable passwords. This means that cybercriminals attempt to gain access to a consumer’s account using educated guesses. How does someone make an educated guess about another person’s passwords? There are a couple of ways that this is done and it’s a lot easier than one might think. For example, criminals can use software that runs every word in the dictionary through authentication in hopes that a consumer has used a simple word as their login credentials. Another way that cybercriminals make educated guesses on login credentials is to use common passwords. Unfortunately, this is successful as consumers continue to use passwords such as “password” or “1234567”. Another way that hackers crack credentials, which is the most pertinent to the focus on the value of personal information, is the use of breached login credentials.
In 2017, there were nearly 179 million pieces of personal information stolen, lost or exposed in data breaches. The use of breached login credentials by hackers is pertinent to the value of personal information because it transforms our ideas of what information is the most dangerous to have stolen by hackers or lost in a data breach. For example, consumers would most likely consider having their tax information lost or stolen in a breach far more dangerous than having their Yahoo or Gmail account credentials stolen. However, the use of “credential cracking” shows us that one can be just as dangerous as the other.
In order to understand why this can be so detrimental, consumers should first think about the login credentials, most commonly this is a username and password, they use on their online accounts. While the best practice is that consumers use different login credentials on each of their accounts, this often isn’t a reality. How many consumers use the same username and password for their Facebook account as they do for their online banking? Even those who may think they are being safe by using different passwords often only use one or two slight modifications, such as the addition of a punctuation mark or another number to their commonly used passwords. When this is the case, all that a cybercriminal has to do is get their hands on the login credentials for one account and they have the key to open many accounts, which may be far more dangerous than the initial account which was compromised. This is crucial for consumers to understand. It shows why each piece of personal information, even something as seemingly useless as the login credentials for an old Twitter account you no longer use can spell big trouble. This is why we stress that consumers need to protect all the components of their personal information because they all have value. Of course, don’t hand out your SSN as you would your email address. The best strategy is to continue to guard that information as incredibly sensitive as well as protecting other personal information.
Our reminder to you is that every single piece of personal information has value. While the login credentials to your social media accounts may not initially cause the damage that an exposed SSN or banking account information will, with a little work from criminals those social media login credentials can lead to exposing more forms of personal information. Each piece of personal information is like a puzzle piece or clue which can be put together to cause serious damage in the form of identity crime. So, while the value of a SSN, or other sensitive personal information, is far more valuable in the eyes of identity thieves, an email password has value as well. Both can lead to having your identity stolen. Consumers must understand that each piece of personal information or data has value and protect it.
Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.