- 359,420,698 MySpace accounts
- 164,611,595 LinkedIn accounts
- 152,445,165 Adobe accounts
- 65,469,298 tumblr accounts
Password reuse is so prevalent that officials can no longer tell if a new batch of stolen passwords offered for sale results from a new security breach or reuse of previously stolen passwords on a new website.
Many of us have had our Facebook accounts hacked. So we change that one password and move on. Hackers are not as lazy as us. They leverage automated "password automation" software, such as SentryMBA, to test stolen/exposed username, email and password data against a whole range of top websites. Additional tools allow them to bypass CAPTCHA and other controls designed to safeguard your login.
I use individual passwords for every site. Even so, at least one of my email addresses has been "pwned"--a new term meaning to appropriate to gain ownership--and a hacker could take over my account. And if you reuse your logins and passwords. . .Oops. Count how many accounts are at risk!
Why would they bother? It's automated, it's cheap, and the rewards may well outweigh the minimal effort. Stolen credentials go for about $50 per million. Attackers pay 1 cent for each password they confirm as viable with their test software, nothing for the others. One cent to access someone's accounts?
Some websites are switching to Two-factor authentication (also known as 2FA) where you need two components (i.e. login and limited-time password sent to phone) to gain access. This is not fool proof, but it helps.
In the meantime, go on faith that you've been hacked somewhere, sometime, and change your password——on every website——with a new, unique, tough-to-decipher, password. Do not recycle your passwords.
Check out this website: https://haveibeenpwned.com/.