Why you are not allowed to use the same password in several places


Using one password everywhere is certainly very convenient, but also extremely dangerous. As an example, we can mention the situation that happened to a young designer, Marek.

Mark is an average internet user: he uses e-mail, Facebook, Instagram, Amazon, he also has an account on eBay, Steam and Battle.net. Of course, he also has accounts at many online stores and forums dedicated to his favorite video game. All accounts are linked to his email address.

One day, there was a leak from the customer database of one of the online stores where Mark had an account. It turned out that they were most likely stored unencrypted on a server with open access. Instead of information about payment cards, e-mail addresses, names, surnames and passwords were stolen. At first glance, there seemed to be nothing to worry about. Leaks like this do happen sometimes, and the store in question was small – after all, can you blame the humble seller for not being a cybersecurity expert?

The cybercriminals who captured the database decided to try their luck – maybe someone from the obtained list uses the same password for their e-mail account? It hit the spot: Mark used a single password everywhere, which allowed cybercriminals to access his e-mail. There, they found not only the photos Mark had sent to Lucy, but also news from Amazon, eBay, and more. It only took one attempt to log into the Amazon account to find out that Mark is using the same password for those accounts as well.

After discovering which credit card was linked to the Amazon account, cybercriminals quickly bought several iPhone X. On Facebook, they asked Mark’s friends for money, writing on his behalf this post: “I urgently need to borrow some money. I’ll be paid tomorrow, so I’ll pay back – I promise! ”. Among those who read the information were Marek’s real friends who sent money – to the cybercriminals, of course.

However, the attackers did not end their actions there. They changed the passwords for all the accounts they could access – that is, in Mark’s case, literally all of them.

One of my friends on Facebook realized that something was wrong. He called Mark to make sure he really needed the money. The scared boy quickly tried to change his Facebook password. Unfortunately, it has already been changed by cybercriminals and Mark has been logged out. In an attempt to restore his password, he asked Tech Support to generate a reset link for him and send it to his e-mail – but he couldn’t get to it either for the same reason.

Mark realized that his entire virtual life had been hacked. He called the bank, blocked the funds on his credit card, tried desperately to change the password for several sites that had not yet been taken over by strangers, and called friends to explain that it was not him who asked for the money. He apologized to those who sent the money to the fraudsters and promised to repay the „loan”.

Ultimately, he concluded that he should never use the same passwords for different services, and he would never do so again. He also turned on two- factor authentication  wherever possible.