It appears that we won’t have fond memories of 2020. From COVID-19 to a very long and contentious election cycle, it was a terrible year. But, while most people were just trying to hang on, it was business as usual for cybercriminals who are nothing if not opportunists. And last year provided plenty of opportunities for hackers to take advantage of poor cybersecurity practices.

Dashlane recently announced its annual list of the worst password offenders of 2020. The top 10 list — the worst of the worst — reads as follows:

No. 1: Twitter employees

In July 2020, a 17-year-old high schooler in Florida was able to get several employees to "reset their passwords" on a dummy site, and was able to collect login information and extract multifactor authentication codes. "From there, 130 verified accounts belonging to Barack Obama, Elon Musk, Bill Gates, Joe Biden and more began to post Bitcoin scams," explains Jay Leaf-Clark, head of IT at Dashlane.

No. 2: Zoom users

In April 2020, half a million Zoom credentials were posted for sale on the dark web. "Hackers used several ways in, including credential stuffing and deployment of multiple bots, to capitalize on Zoomers' weak and reused passwords, potentially compromising more of these users' accounts across the web," says Leaf-Clark.

No. 3: EasyJet

The worst password offenders weren’t limited to the U.S. Across the pond, EasyJet, a budget airline based in the U.K., made news for more than just discount tickets. "A cyberattack compromised nine million EasyJet travelers' emails and itineraries, with over 2,000 customers' credit card details breached," Leaf-Clark says. The company knew of the attack in January, but didn’t inform customers until April.

No. 4: Experian

The world’s largest credit bureau also made Dashlane’s Worst Password Offender list in 2017. But this time, someone at its South African branch handed over personal information to a client impersonator. "The resulting cyberattack affected an estimated 24 million South Africans and 800,000 businesses," Leaf-Clark explains.

No. 5: Marriott

"Starwood, the parent company of the Marriott mega chain, was still recovering from a 2018 data breach, when in January, another 5.2 million Marriott guests were involved in a January hack." The hackers got in as a result of a Marriott employee’s compromised login credentials.

No. 6: Nintendo gamers

"Those who made the switch to more gaming during lockdown faced an unexpected level: 300,000 Nintendo gamers experienced unauthorized logins to their accounts," Leaf-Clark says. "Whether through credential stuffing or brute force, gamers with weak or reused passwords got wrecked."

No. 7: Home Chef

When meal delivery company Home Chef was breached last year, the records of eight million customers ended up for sale on the dark web. Honorable (or dishonorable) mention goes to another food delivery company, Instacart: 250,000 of their customer’s records were also on sale on the dark web.

No. 8: Zoosk

In May 2020, Zoosk, an online dating site, became the victim of a cyberattack. According to Leaf-Clark, the attack compromised over 200 million user records, including personal information like gender and date of birth.

No. 9: Minted

Minted, the U.S.-based marketplace for independent artists, was hacked in 2020, and the hacker sold 5 million user records on the dark web.

No. 10: Day traders

In October 2020, thousands of Robinhood customers had their accounts accessed and drained. "The online brokerage initially blamed its users' previously-compromised credentials instead of its own security infrastructure, but some customers say there's no sign of their emails being compromised."

So, what have we learned?

Dashlane has published an annual list of the worst offenders for five years, so maybe we’re not learning the importance of good cybersecurity practices. Also, there’s a tendency to think of smaller companies as being more attractive targets because large companies have better protocols, but that may be a myth.

"Don’t forget that Twitter employees and Zoom users took the top spots on our list due to breaches caused by weak and re-used passwords," Leaf-Clark says. "Large companies don’t always have the best cybersecurity protocols, but it’s imperative for all businesses to immediately put into place a robust process to audit, standardize, and continuously monitor the safety and security of the credentials within their organizations."

Why strong passwords are so important

Actually, he says it’s not enough to just have strong passwords, they should also be unique for every account and website you use. "Password reuse is an epidemic — repeating the same password across accounts is a lot like using the same key for your house or your car,” Leaf-Clark explains. “If someone gets a hold of those keys, they now have access to everything you want to keep safe."

Likewise, once hackers gain access to one account, he says they can use passwords to access other accounts as well. "The only protection against this is to have random and different passwords for every account."

Leaf-Clark recommends a password manager, but if the "manager" gets hacked, won't that create an even worse scenario since all of your passwords are in one place?

"During setup, you’ll be required to generate a strong master password, and then add your credentials to the password manager, either manually or through the password manager’s automatic tool that can find and upload credentials for you," he explains. "With a password manager like Dashlane, your account can only be unlocked with your Master Password and only one person knows it: you."