Users signed up with the password “123456” 373 times. More than 250 users had the password “cayman.” Almost 400 people used the password “ecaytrade,” according to a database of cracked passwords stolen last year from the eCayTrade website.
The database of encrypted user names and passwords has been available online for a while, but a source provided a database of the cracked passwords (but not the user names) to the Cayman Compass. The source said they broke more than 28,000 of the 40,000-plus passwords in 72 hours and wanted to bring attention to the overuse of passwords and the vulnerability of using the same password for multiple sites.
Hackers stole the database of user names and passwords from the website. The company and government’s Cyber Incident Response Team Cayman announced the hack in August 2015. The source that provided the passwords, cracked from the encrypted “hash” into plain text, said they used what’s called a “dictionary” method first to encrypt words from a dictionary to run against the encrypted passwords until they got a match. They then used “brute force” to try random letter and number combinations to match the passwords. After three days they cracked almost three-quarters of the passwords.
eCayTrade declined to comment on the record.
Micho Schumann, a cybersecurity expert with KPMG, reviewed the database for the Compass and pointed to several issues that are apparent by looking at the more than 28,000 passwords. The database originally had email addresses used to log in, with passwords.
Mr. Schumann said many people generally re-use passwords across different websites, including their primary email and bank accounts. If someone used the same password for eCayTrade as their email account, all a hacker needs to do is spend the time to crack this database and plug in user names and passwords until they find the ones that work.
“Changing passwords is not easy, I get it,” he said. Mr. Schumann said he uses different passwords for sites and has a password manager to save the passwords. But he keeps the passwords for his email and bank accounts in his head and does not save them to the browser or third-party services like LastPass.
“Email is your single point of failure,” he said. If someone can get into an email account, they can change other passwords.
After the eCay hack, the company emailed users instructing them to change their eCay passwords and any passwords similar to the hacked password.