Have I Been Pwned & 1Password

Data breach 101: How hackers steal passwords

It's rare that a week goes by without a data breach hitting the news, or someone you know revealing that one of their accounts has been taken over by hackers.

When this occurs, it's natural to ask: Why does this keep happening? What techniques are criminals using to steal account credentials? What can I do to protect myself against pwned passwords?

Let's start with the first two questions. Here are the most common techniques that hackers use:

Social engineering and phishing

Social engineering is an attempt to manipulate you into sharing personal data, like your passwords or phone number. The attacker will try to trick you by posing as someone you know or trust – that could be your manager at work, your bank, or an old friend from college – and coming up with a believable reason why you should share the information with them.

Every time a hacker does this, they're "phishing" for information. Social engineering can take the form of an email, a text message, or a phone call (known as "vishing"). Attackers will often cast a large net and send phishing attacks en masse to hundreds or thousands of people, hoping that someone will be fooled.

Password leaks and credential stuffing

Hackers rarely sit in front of their PC and try different passwords to break into your accounts. It's too time consuming and they'll likely be locked out after a few unsuccessful attempts. Instead, they'll try credentials that have leaked in previous security breaches.

Attackers know that the average person rarely uses different passwords. So if they know a username and password for an old Microsoft account, there's a high chance that the same credentials will work for the owner’s email account. In practice, hackers use specialized software to test stolen credentials on a massive scale across the web. This type of attack is known as credential stuffing.

Dictionary attacks and cracking hashed passwords

Imagine an attacker discovers a database of passwords. There's just one problem: every credential has been scrambled by a hashing algorithm for protection. The attacker could run every possible password through commonly-used hashing algorithms and then check whether the result lines up with anything in the database. But that's hardly efficient.

Instead, attackers will try common words, phrases, or previously-leaked passwords from a predefined list. Once the hacker finds a match, they can attempt to use the now-unscrambled password to access the associated account, or check whether it works on any of the owner's other online accounts.

Okay, so we've covered how hackers steal passwords. Now what can you do to defend yourself against these tactics and data breaches generally?

Protect yourself with a unique password for every service.

The best way to protect yourself online is to use strong, unique passwords for every account. That way, even if your data for one site is compromised, the others stay secure. You can't create or remember hundreds of different passwords but a password manager can. Save time by using 1Password's built-in password generator to create secure passwords for every website and service including Amazon, Instagram, and Gmail.

Enable multi-factor authentication

Multi-factor authentication adds an extra layer of security to your online accounts. Once enabled, a second factor – usually a time-sensitive code - is required on top of your username and password to sign in. 1Password will tell you which websites support multi-factor authentication and act as the authenticator, copying and autofilling your special one-time codes.

Stay on top of security threats with Watchtower

Watchtower tells you about data breaches and other security problems related to your saved items in 1Password. These include websites where you currently have weak or re-used passwords, as well as services where you're yet to use passkeys. Following the notifications in Watchtower is a sure-fire way to strengthen your security and reduce the likelihood of your personal information appearing on the dark web.