In this article:
Identity theft and fraud protection for your finances, personal info, and devices.
How Easy Is It For Your Passwords To Get Hacked?
Passwords provide the first line of defense for your email, banking, social media, and other sensitive online accounts. Unfortunately, however, hackers have found repeatable and scalable ways to guess, hack, or steal passwords.
From weak and reused passwords to data breaches, even the most secure passwords aren’t immune to modern hackers — especially if you fail to enable two-factor authentication (2FA).
Over the last year, 75% of survey respondents lost sensitive personal information from a hacked account — including names, addresses, and credit card numbers [*].
Securing your online accounts (and the data they contain) starts with understanding how hackers get passwords, how you might be leaving yourself vulnerable, and what you can do to stay safe.
7 Real Ways Hackers Steal Passwords in 2024
Strong passwords are essential to your cybersecurity. But commonly repeated advice about password security — using long passwords with a mix of uppercase and lowercase letters, numbers, and special characters — is no longer enough to keep your accounts safe.
Even Bill Burrs, the person who originally wrote these password recommendations, says they shouldn’t be used today — as they’re often too complicated, and cause people to revert to using easily guessable passwords [*].
Instead, it’s better to understand the risks hackers pose to your online accounts, and what you can do to shut them down.
Data breaches
Cybercriminals infiltrate company databases to steal personally identifiable information (PII), including usernames and passwords.
In February 2024, the remote desktop application Anydesk was breached in a cyberattack. Within days, over 18,000 stolen credentials from Anydesk customers were listed for sale on a hacker forum on the Dark Web [*].
Use a password manager to warn you of compromised passwords. Most password managers can alert you to any at-risk accounts related to known data breaches — and automatically generate new, complex passwords.
Phishing and other social engineering attacks
Phishing attacks take place via emails, text messages, phone calls, or online services. Con artists pose as legitimate brands and government representatives to pressure you into giving up passwords or clicking on malicious links (that take you to fake websites where you could be phished).
In April 2024, many LastPass users reported receiving phone calls and emails from threat actors claiming to be LastPass employees. The hackers directed many users to a fake website with a login page, where cybercriminals could steal master passwords and gain access to the users’ vaults [*].
Can you spot a phishing attack? These scams almost always include urgency and scare tactics, suspicious links, and spoofed contact details. Make sure you know how to spot the telltale signs of a phishing email, text message, or call.
Brute force and dictionary attacks
In a brute force attack, hackers use automated “bots” to try thousands of leaked passwords and username combinations until they find a match. Similarly, dictionary attacks utilize a list of common passwords and phrases to guess your login credentials.
In December 2023, threat actors hacked the genetic testing company 23andMe. The hackers were able to use old user passwords in a brute force attack and quickly gained access to the personal data of 6.9 million users [*].
Don’t use memorable or common elements in your passwords. These password-cracking attacks can bypass account security in minutes — especially if your password is based on pet names, birthdates, or obvious keyboard patterns, such as qwerty or 1234.
Keyloggers, spyware, and other malware
Hackers trick you into installing malicious programs that steal sensitive information. For example, keylogging software records every keystroke as you type on your device, and sends this information to hackers — including your passwords.
Even Apple’s fabled security is vulnerable, as threat actors have used keyloggers to exploit the "Find My" location network feature and transmit sensitive information from users’ keyboards [*].
Protect your devices with passkeys. Passkeys are auto-generated encrypted codes that are stored on your device or in your password manager, allowing you to log in with a PIN, fingerprint, or via face recognition. In October 2023, Google announced passkeys will become the default sign-in method for all users. This phishing-resistant alternative to passwords is the best way to combat keylogger malware [*].
Credential stuffing
Credential stuffing occurs when hackers try stolen username and password combinations from one site to access accounts on another site or app. Upwards of 30% of people surveyed who were hacked in the past year believe it was because they repeatedly used the same password for multiple accounts [*].
In March 2024, hackers used a credential-stuffing attack to steal the personal data of 15,363 Roku users. Many users were locked out of their accounts as the attackers went on to make fraudulent in-app purchases and sell user account data on the Dark Web [*].
Two-factor authentication (2FA) makes you more secure. Multi-factor authentication is no longer a “nice to have” option. With a second layer of security, you can protect your accounts against credential stuffing, password spraying, and other similar attacks.
Hacked Wi-Fi Networks and Man-in-the-Middle Attacks
Hackers can intercept data transmitted over unsecured Wi-Fi connections, such as in airports or cafes. These “man-in-the-middle attacks” allow the intruder to capture user passwords and other sensitive information, like bank account details.
Avoid using public Wi-Fi — especially when logging in to accounts. It’s best not to use public Wi-Fi for any online activity that could reveal your financial details, including banking or shopping. If you need to access an account, try using your mobile hotspot instead, or install a virtual private network (VPN) to hide your data from prying eyes.
Unencrypted password sharing
Sharing passwords over unencrypted channels, like plain text emails or messaging apps, can expose them to hackers. Disgruntled employees or untrustworthy individuals in a group chat might exploit password sharing.
Ken Carnesi, CEO of DNSFilter, warns: "First and foremost, don’t send passwords in Slack and over email. While that might seem like a no-brainer, you’d be shocked how often it happens." [*].
Also, don’t write down passwords. Writing codes on sticky notes can leave you vulnerable to attacks from shoulder surfing.
The Best Way To Protect Your Passwords and Online Accounts
Unfortunately, many people ignore password security because they don’t want to use unique passwords for every account.
But basic password security really only comes down to a few simple rules:
- Use a password manager. By storing your passwords in a password manager, you only need to remember one strong master password to access any account. This keeps your other passwords secure and easy to access. Password managers also keep your stored credentials encrypted. Even if the company gets hacked, your accounts will stay safe.
- Generate and use random passwords. Another benefit of password managers is that they allow you to create long, complex, and unique passwords for every account — without the headache of having to remember them. A study from Hive Systems found that any password containing less than six characters could be cracked in a day. When you create passwords with at least 13 characters, your accounts are much safer [*].
- Enable two-factor authentication (2FA). A second layer of security makes your account much more difficult to hack — even if scammers have your passwords. For the highest level of security, opt for an authenticator app like Authy or Okta; or use biometric authentication on your device, such as fingerprint identification or facial recognition.
- Update compromised passwords immediately. Any data breach notification or warning from your password manager should be dealt with swiftly. Update your passwords before anyone can access your accounts.
Once your password security measures are in place, the next best thing you can do is protect your devices and accounts against hacking.
Avoid clicking on suspicious links or downloading apps from unknown sources, use Safe Browsing tools to warn you of fake or dangerous websites, keep your apps and operating system up to date, and install a reliable antivirus software to guard against keyloggers, ransomware, and other malware.
Act Fast If You See These Warning Signs of a Hacked Account
Even following best practices for password maintenance can't always protect you against threats like data breaches. Instead, it's essential to be vigilant in monitoring your accounts and making sure that you’ll receive alerts in the event of a data leak.
Here are six warning signs of a hacked account:
- Unusual login activity. If you receive notifications about logins or login attempts from unfamiliar devices or locations, it could indicate that someone else has accessed your account.
- Your password isn’t working. If your password suddenly stops working, it’s possible that a hacker has changed it.
- Unexpected password reset emails. Receiving password reset emails that you didn't request is a huge red flag that someone is trying to access your account.
- Unauthorized transactions. Unfamiliar charges or transactions on your bank or credit card statements can indicate that your financial accounts have been hacked.
- Friends and family members report strange messages. If people on your contact list receive suspicious messages from your social media accounts or email address, it’s likely a hacker has accessed your account.
- Slow computer performance. Computer performance can dip after malicious software is installed, as it runs in the background and steals your device’s bandwidth and battery.
If you suspect one of your accounts has been hacked, act quickly to update the password, enable 2FA, and log out any unknown users or devices. If you can’t access your account, try a password reset or contact the service directly for help.
💡 Related: What Data Do Cybercriminals Steal? (How To Protect Yours) →
Passwords aren’t always the best defense — Identity Guard can help
Passwords alone open you up to myriad vulnerabilities. But with a few simple steps, you can protect yourself and your family against the most common methods that hackers use to target your online accounts.
For added protection, consider signing up for Identity Guard. With Identity Guard, you get an all-in-one digital safety solution — including award-winning identity theft protection, a secure password manager, Dark Web and data breach monitoring, 24/7 U.S.-based support, and up to $1 million in identity theft insurance coverage for every adult on your plan.
