📚 Password Security Case Studies

In June 2012, LinkedIn confirmed that approximately 6.5 million password hashes had been posted on a Russian hacker forum. The breach was initially considered serious but manageable. However, the true scale of the attack was not revealed until May 2016, when a hacker known as "Peace" listed 117 million LinkedIn email-and-password combinations for sale on the dark web marketplace "The Real Deal" for approximately 5 Bitcoin (around $2,200 at the time).

The root cause of the breach was LinkedIn's use of SHA-1 hashing without salting. SHA-1 is a fast hashing algorithm, which made it efficient for attackers to use brute-force and rainbow table attacks to reverse the hashes. Security researchers estimated that over 90% of the passwords were cracked within 72 hours of the data being leaked. Common passwords like "123456," "linkedin," and "password" were cracked almost instantly.

The timeline is notable: LinkedIn was breached in 2012, but the full dataset did not surface publicly until 2016 — a four-year window during which millions of users remained unaware their credentials were compromised. During this period, attackers could use credential stuffing techniques to access other services where users had reused the same password. A 2019 Google study found that 65% of people reuse the same password across multiple accounts, making breaches like this exponentially more dangerous.

What users could have done differently: Users who had unique, complex passwords for their LinkedIn account were largely protected even when the hashes leaked. Those who used a password manager to generate and store random passwords would have been unaffected on other platforms. Enabling two-factor authentication (which LinkedIn added after the breach) would have provided a critical second layer of defense.

In August 2022, LastPass disclosed that an unauthorized party gained access to portions of their development environment through a compromised developer account. The attacker stole source code and proprietary technical information. Then, in November 2022, LastPass revealed a far more serious second incident: the attacker had used information obtained in the first breach to target a LastPass employee, gaining access to cloud storage resources that contained both current and archived backup data — including encrypted password vaults belonging to more than 25 million users.

The encrypted vaults used AES-256 encryption, which is considered extremely robust. However, the encryption key for each vault was derived from the user's master password using PBKDF2-SHA256. LastPass had set a minimum master password length of 12 characters, but older accounts created before that policy change may have had shorter, weaker master passwords. Security researcher Wladimir Palant noted that LastPass had used only 100,100 PBKDF2 iterations for some accounts — far below the OWASP recommendation of 600,000 iterations for PBKDF2-SHA256 (as of 2023).

This meant that users with weak or common master passwords were potentially vulnerable to brute-force attacks. Security experts estimated that a master password of 8 lowercase characters could be cracked in a matter of hours using modern GPU hardware. By contrast, a 16-character master password with mixed character types would take billions of years to crack with current technology. In the months following the disclosure, multiple cryptocurrency thefts totaling over $35 million were linked to decrypted LastPass vaults, according to blockchain researcher ZachXBT.

What users could have done differently: Users should have used a master password of at least 16 characters — ideally a passphrase of four or more random words. They should have also ensured their PBKDF2 iteration count was set to the maximum available in their LastPass settings. After the breach disclosure, changing the master password and rotating all stored credentials was critical. Users storing high-value information like cryptocurrency seed phrases should consider dedicated hardware solutions rather than cloud-based password managers.

In October 2013, Adobe Systems confirmed a massive data breach that affected approximately 153 million user accounts — far more than the initial estimate of 2.9 million. Attackers gained access to Adobe's network and exfiltrated a database containing user IDs, encrypted passwords, email addresses, and password hints. Additionally, source code for several Adobe products including ColdFusion, Acrobat, and Reader was stolen.

The critical failure in Adobe's security was their use of 3DES (Triple DES) encryption in ECB (Electronic Codebook) mode for storing passwords. Unlike proper password hashing with salting, 3DES-ECB encryption meant that identical passwords produced identical ciphertext. This allowed researchers and attackers to identify the most common passwords by frequency analysis alone — without actually decrypting them. Security researcher Jeremi Gosney found that "123456" was used by nearly 1.9 million accounts, "123456789" by 446,000 accounts, and "password" by 345,000 accounts.

Making matters worse, Adobe stored password hints in plain text alongside the encrypted passwords. Many users had written hints that were essentially the password itself — hints like "the word password" or "one two three four five six." The combination of ECB-mode encryption and plaintext hints created what security researchers described as "the world's largest crossword puzzle," where cracking one account's password could instantly reveal the password for thousands of other accounts using the same encrypted value.

What users could have done differently: Users should never rely on a service's password hint feature. Instead, use a password manager that securely stores your credentials. Generate unique, random passwords for each account — if your Adobe password was unique and complex, the breach would have been limited to that single account. Users who received notification of the breach should have immediately changed their Adobe password and any other accounts where they used the same credentials.

In early 2023, a small e-commerce business owner in Ontario, Canada received an urgent email notification from their Google Workspace account: a sign-in attempt had been detected from an IP address in Eastern Europe. The attacker had obtained the business owner's correct email and password through a sophisticated phishing campaign that mimicked a legitimate Google security alert. The phishing email had been crafted using the business's actual branding and appeared in the same email thread as previous genuine Google notifications.

Despite having the correct credentials, the attacker was stopped cold by the business owner's TOTP-based two-factor authentication (using Google Authenticator). The 6-digit code changes every 30 seconds and is generated locally on the owner's phone, making it impossible for the remote attacker to access. The failed login attempt triggered an automatic alert, and the business owner was notified within seconds. According to Google's 2023 security research, accounts with 2FA enabled block 100% of automated bot attacks, 99% of bulk phishing attacks, and 90% of targeted attacks.

The business owner took immediate action: they changed their Google password to a new 20-character random passphrase generated by their password manager, reviewed all recent account activity, checked connected third-party applications for any unauthorized access, and enabled Google's Advanced Protection Program for additional security. They also conducted a brief audit of their other business accounts and ensured 2FA was enabled on all critical services including their payment processor, hosting provider, and social media accounts.

What made the difference: A Microsoft study published in 2019 found that multi-factor authentication prevents 99.9% of account compromise attacks. The small investment of time required to set up 2FA — typically 5 minutes per account — provided complete protection against what could have been a devastating business breach. The business owner estimated that a successful account takeover could have exposed customer payment data, resulting in potential losses exceeding $50,000 in liability and reputational damage.

In January 2019, security researcher Troy Hunt — the creator of Have I Been Pwned — discovered a massive collection of breached data being distributed on the cloud storage service MEGA and across popular hacking forums. Dubbed "Collection #1," the dataset contained approximately 2.7 billion rows of email addresses and passwords, comprising 773 million unique email addresses and 21 million unique plaintext passwords sourced from thousands of different data breaches spanning several years.

Collection #1 was not a single breach but rather an aggregation of credentials stolen from over 2,000 different databases. The data had been compiled, deduplicated, and organized by unknown actors specifically for use in credential stuffing attacks — automated attacks where bots try leaked username-password combinations against hundreds of websites simultaneously. The file structure revealed folder names referencing specific breaches and websites, indicating a methodical approach to collecting and categorizing stolen data over many years.

The discovery highlighted a critical reality of modern cybersecurity: even if you changed your password after a single breach, your old credentials might still circulate in compiled datasets for years. Researchers at the Digital Shadows Photon Research team estimated that over 15 billion stolen credentials were circulating on the dark web as of 2020. The sheer volume of Collection #1 made it one of the largest public compilations ever discovered, though subsequent discoveries (Collections #2 through #5) added billions more records, bringing the total to over 25 billion credential pairs.

What users could have done differently: The most effective defense against credential compilation attacks is using a unique password for every single account. With a password manager, this is effortless. Users should regularly check their email addresses against Have I Been Pwned (haveibeenpwned.com) to identify which of their accounts have appeared in known breaches. Any password that has appeared in a breach — regardless of how long ago — should be considered permanently compromised and changed immediately across all accounts where it was used.

In December 2009, hackers exploited a SQL injection vulnerability in RockYou, a company that developed widgets and applications for social media platforms like Facebook and MySpace. The breach exposed approximately 32 million user accounts — and critically, the passwords were stored in plain text with no hashing or encryption whatsoever. This made the RockYou dataset one of the most valuable resources in the history of password security research, as it provided an unfiltered look at how real people actually create passwords.

Analysis of the RockYou dataset by security researchers revealed disturbing patterns. The most common password was "123456," used by nearly 291,000 accounts (about 0.9% of all users). The top 10 passwords — which also included "12345," "123456789," "password," "iloveyou," "princess," "rockyou," "1234567," "12345678," and "abc123" — accounted for over 2% of all accounts. Roughly 30% of users chose passwords of six characters or fewer, and nearly 50% used passwords composed entirely of lowercase letters or digits.

The RockYou password list became the de facto standard wordlist used in penetration testing and password cracking. Tools like Hashcat and John the Ripper include it as a default dictionary. This means that any password appearing in the RockYou list (or following its common patterns) can be cracked in seconds during any future breach. Researchers at Carnegie Mellon University later used the dataset to develop password strength meters that predict how easily a given password could be guessed based on known human password-creation patterns.

What users could have done differently: Users should avoid creating passwords based on common words, names, keyboard patterns, or simple number sequences. A random 16-character password generated by a password manager would never appear in any wordlist and would resist brute-force attacks for billions of years. The RockYou breach proved that human-created passwords follow predictable patterns that attackers systematically exploit.

Beginning in late 2022, the FIDO Alliance — backed by Apple, Google, and Microsoft — launched a coordinated effort to replace traditional passwords with passkeys, a form of passwordless authentication built on the FIDO2/WebAuthn standard. By mid-2024, passkeys were supported natively across iOS, Android, macOS, Windows, and all major browsers. Major services including Google, Apple, Amazon, PayPal, GitHub, WhatsApp, and hundreds of others had implemented passkey sign-in, and early adoption numbers were striking: Google reported that over 400 million accounts had used passkeys by late 2024.

Passkeys work by generating a unique cryptographic key pair for each account. The private key never leaves your device (it is stored in the device's secure hardware enclave, such as Apple's Secure Enclave or Android's Titan chip), while the public key is shared with the website. During authentication, the site sends a challenge that can only be answered by the private key — verified through biometrics (fingerprint or face scan) or a device PIN. Because the private key is never transmitted over the network, passkeys are inherently immune to phishing, credential stuffing, and server-side breaches.

Real-world results have been impressive. Google's internal deployment of FIDO2 security keys (a precursor to passkeys) across its 85,000+ employees in 2018 resulted in zero successful phishing attacks — down from an average of several per week. On the consumer side, Kayak reported that passkey users signed in 4x faster than password users, and Shopify saw a 50% reduction in support tickets related to account access after implementing passkeys. The FIDO Alliance's 2024 Consumer Sentiment Survey found that 57% of users who tried passkeys preferred them over traditional passwords.

What you can do now: Check whether your most important accounts (email, banking, social media) support passkeys and enable them. On Apple devices, passkeys sync via iCloud Keychain; on Android, they sync via Google Password Manager. Major password managers like 1Password, Bitwarden, and Dashlane now also support storing and syncing passkeys across platforms. While passkeys are not yet available everywhere, enabling them on supported accounts eliminates entire categories of attacks for those services.

En juin 2012, LinkedIn a confirmé qu'environ 6,5 millions de hachages de mots de passe avaient été publiés sur un forum de hackers russe. La véritable ampleur n'a été révélée qu'en mai 2016 quand 117 millions de combinaisons e-mail/mot de passe LinkedIn ont été mises en vente sur le dark web. La cause principale : l'utilisation de SHA-1 sans salage, permettant à des attaquants de craquer plus de 90 % des mots de passe en 72 heures.

Yahoo a subi deux violations majeures : 500 millions de comptes en 2014 et 1 milliard en 2013. Le chiffre total de 3 milliards de comptes compromis a été révélé en 2017 lors de l'acquisition par Verizon. Les mots de passe étaient hachés avec MD5 sans salage, encore plus faible que SHA-1.

La violation de RockYou a exposé 32 millions de mots de passe stockés en texte brut non chiffré. L'analyse des mots de passe a révélé les habitudes désastreuses des utilisateurs : « 123456 » était le mot de passe le plus courant, utilisé par 290 000 personnes. Cette base de données est devenue la liste de mots de passe de référence (« rockyou.txt ») utilisée dans les attaques par dictionnaire.

Les passkeys représentent l'avancement le plus significatif dans la sécurité d'authentification depuis des décennies. Ils éliminent entièrement les mots de passe pour les services pris en charge, rendant le hameçonnage et le vol d'identifiants techniquement impossibles. Le déploiement interne de Google (FIDO2) sur 85 000+ employés en 2018 a résulté en zéro attaque de hameçonnage réussie.