These Social Media Passwords Highlight the Danger of Password Reuse [new data]


Today, the Specops research team is sharing the results of their latest findings on the use of social media websites in compromised passwords. The release of these findings coincides with the latest addition to the Specops Breached Password Protection service, which helps organizations block the use of over 4 billion unique compromised passwords in Active Directory.

The team analyzed an 800 million password subset of the larger Breached Password Protection database to find the top social media sites in compromised password data. Topping the list was QQ, a Chinese app ranking 10th in worldwide popularity for 2022 and appearing in the data over 3 million times. The top English-language site found in the data was LinkedIn, appearing over 114,000 times.

“We’ve known password reuse to be a problem for a long time,” said Darren James, Product Specialist at Specops Software. “Today’s published findings just underscore how the personal and professional lines blur when it comes to how your users are creating their passwords.”

Top 10 Social Media Apps Found in Compromised Passwords

  1. QQ
  2. Xing
  3. LinkedIn
  4. Snapchat (Snap or Snapchat)
  5. Instagram (Insta or Instagram)
  6. Facebook
  7. YouTube
  8. Skype
  9. Twitter
  10. Weibo

LinkedIn in the #3 spot will not surprise those who are familiar with the 2012 LinkedIn hack whose data was also found in the infamous Collection leaks. The following well-known Dropbox breach, a result of an employee reusing a password from the LinkedIn breach, is a case study in the danger posed by password reuse.

With 65% of people admitting to reusing the same password across multiple accounts (per Google), many IT departments would be wise to scan for these passwords in their environments.

“There are still a lot of organizations that are lacking strong password protections including compromised password scanning. Just look at the report released on the US Department of Interior password practices,” added James referring to the DOI audit report published earlier this month. “Increasing password security is still one of the highest impact actions an IT department can take to help protect their networks.”

The report, P@s$w0rds at the U.S. Department of the Interior: Easily Cracked Passwords, Lack of Multifactor Authentication, and Other Failures Put Critical DOI Systems at Risk, highlighted many password vulnerabilities at the DOI including high instances of password reuse, among others:

  • 20% of all active accounts had passwords that were used across multiple distinct accounts
  • Half of the top 10 most used passwords contained a combination of the word “password” and the sequence “1234.”
  • 1 domain administrator account (highest privileges) flagged for having a reused password that had not been changed in over 150 days

Whether it’s password reuse between personal and professional accounts or password reuse between professional accounts, this user behavior puts your organization at risk.

How to Find and Block These Reused Passwords in Your Network

Today’s update to the Breached Password Protection service includes an addition of over 29.5 million compromised passwords to the list used by Specops Password Auditor.

You can find how many of your passwords are either compromised or identical with a scan from Specops Password Auditor. Specops Password Auditor does not store Active Directory data nor does it make any changes to Active Directory.

Decrease Your Password Reuse Risk by Blocking These Passwords 

With Specops Password Policy and Breached Password Protection, organizations can prevent the use of passwords like these and over 4 billion more known compromised passwords. These compromised passwords include ones used in real attacks today or are on known breached password lists, making it easy to comply with industry regulations such as NIST or NCSC.

Our research team’s attack monitoring data collection systems update the service daily and ensure networks are protected from real world password attacks happening right now. The Breached Password Protection service blocks these banned passwords in Active Directory with customizable end-user messaging that helps reduce calls to the service desk.

See how with a demo or free trial.

(Last updated on January 18, 2023)

Back to Blog