Using one password for everything is convenient, but it\u2019s also dangerously insecure. We examine the case of Mark, a young designer.<\/p>\n
Mark is a regular guy. He has e-mail, Facebook, Instagram, Amazon, eBay, Steam, and Battle.net accounts, not to mention ones for another dozen online stores and a forum dedicated to his favorite video game. The accounts are all linked to his e-mail.<\/p>\n
One day, the customer database of one of the online stores Mark has an account at suffers a leak (apparently it was kept unencrypted on an open-access server). No credit card information is stolen, but e-mail addresses, names, and passwords are. At first glance, there seems no particular reason to worry. Such leaks happen, and this is just a small online store \u2014 can you blame a humble shopkeeper for not being a cybersecurity expert?<\/p>\n
But the cybercriminals who ransacked the database decide to try their luck \u2014 maybe someone on the list uses the same password for their e-mail account? They strike gold: Mark uses the same password everywhere, handing the cybercriminals access to his e-mail on a platter. There, they find not only photos that Mark sent to Lucy, but messages from Amazon, eBay, and other companies. Surely Mark doesn\u2019t use the same password for these accounts too? They try logging in to his Amazon account, and presto: same password again.<\/p>\n
Finding a credit card already linked to the Amazon account, the cybercriminals quickly snag a couple of iPhone Xs. Next up is Facebook, where the attackers ask Mark\u2019s friends for money: \u201cGuys, I really need to borrow some cash. I get paid tomorrow, so I\u2019ll pay you right back, promise.\u201d Some of the people who get the message really are Mark\u2019s friends, and send money\u00a0\u2014 to the cybercriminals\u2019 account, of course.<\/p>\n
But they haven\u2019t finished yet. The intruders now change the passwords for every account they can access, which in Mark\u2019s case means all of them.<\/p>\n
One of the Facebook friends smells a rat and decides to phone Mark to check if it\u2019s really him asking for a loan. Horrified, Mark rushes to his computer to change his Facebook password. But it\u2019s already been changed by the cybercriminals, and Mark is locked out. He tries to recover the password and asks Facebook to send him a password reset link by e-mail\u00a0\u2014 but he can\u2019t access that either, for the same reason.<\/p>\n
Mark realizes that he\u2019s been well and truly hacked. He calls his bank, freezes credit cards, tries desperately to change the passwords for the few services that haven\u2019t been snatched yet, and phones his friends to explain that it\u2019s not him asking for money. He apologizes to those who have already transferred funds to the scammers, and vows to pay it all back.<\/p>\n