Why re-using online passwords is so dangerous

Brokers should be advising their clients that the re-use of passwords across multiple websites and accounts could be a disaster waiting to happen, a cybersecurity specialist told Canadian Underwriter Wednesday.

Lisa Baergen, marketing director of Vancouver-based NuData Security, a Mastercard Company, made her comments after an unauthorized party acquired data associated with MyFitnessPal user accounts in late February. Baltimore-based Under Armour Inc. said it became aware of the breach in late March. MyFitnessPal is the company’s food and nutrition application and website.

“The re-use of passwords in situations like this may seem harmless, like a short lapse in judgement,” Baergen said. “But this data that aligns names and email addresses with passwords and other additional PII [personally identifiable information], easily gleaned through multitudes of breaches, is a potential disaster for anyone who reuses their passwords across multiple sites and accounts.”

She observed that many people continue to reuse usernames and passwords across various sites, even going so far as to reuse their employee information with accounts opened for personal use. “Once the information has been stolen, criminals decide how to use this data,” she said. “What may seem an irrelevant piece of information to a user can be the last piece of the puzzle for a bad actor, going so far as easily answering security questions.”

The information is often hosted on Dark web forums, where people can buy it cheaply and use it for fraudulent purposes. Baergen said that this can be as simple as purchasing something with a stolen credit card number, or as complex as a comprehensive program of identity fraud, in which fraudsters pose as a business the customer hired (a plumber, for example) to get a payment transferred to the fraudster’s account instead of the contractor’s.

“To make matters worse, if a bad actor is missing any piece of information, they can just access a Google-like website to find it,” Baergen said. “Any type of stolen information can help.”

In Under Armour’s breach, about 150 million user accounts were affected by the issue, including usernames, email addresses and hashed passwords – the majority with a function called bcrypt used to secure passwords. The affected data did not include government-issued identifiers such Social Security Numbers and driver’s licence numbers, which the company does not collect from users. Payment card data was also not affected, as it is collected and processed separately.