This is the main way accounts get hacked.
here is the workflow for normal account cracking. I’m using netflix and spotify as example websites:
- Some of Netflix’s database gets hacked
- 25% of their User’s emails, usernames, passwords, and last 4 digits of their card are leaked.
- Netflix forcibly password resets those users, so they cannot login until they pick a new password, so no one can use those leaked passwords to access the affected users accounts.
- You have to reset your netflix password, which sucks, but you think nothing more of it. You are likely to pick a similar one to the last one too. You are annoyed that you have to remember another password. You likely go with “balls4202!!” instead of “balls420!!“.
- You still use the password balls420!! for spotify.
- A person runs that whole list of netflix emails and passwords through a piece of software called a checker.
- The checker just tries to login to all the most popular websites with those usernames and passwords
- The checker catches that your spotify account uses that password
- Now your spotify account has been hacked.
- Checkers also can do common variations on passwords, think:
- password
- password1
- password/
- password2024!
- p@ssword
- p@$$w0rd
- Password
- P@$$w0rd
- That checking for common variations might catch “balls4202!!” for netflix
- now your netflix account has been hacked, for real this time.
- any other accounts with the same password are likely to also be hacked, so if you have a banking account that uses the same password you use for your account on club penguin, that is BAD!!!