One of my previous jobs was as a security specialist at a company that specializes in penetration testing, or ethical hacking, and some of the methods used truly astonished me. Without getting into specifics I can say with certainty that hackers can gain access to pretty much any online data through a variety of measures though using programs to data-mine social media and then guess usernames and passwords is one of the more common.
I still a few good friends working at that company and one of their more recent hacks that actually surprised me was on a very large national bank, one who's name everyone would recognize and that I have my primary checking account at, that my friend was able to grant himself root within 36 hours. In that case the sys admin's username was admin and his password was the bank's name plus the number 1.
BINGO!
This is why I don't participate in a lot of those stupid online "games" people play in social media.
I won't address corporate security, but there is a LOT that people can do for their own PERSONAL security. (Some of which, obviously, carries over to corporations...which are, after all, run by people.)
When people make up passwords, they tend to do so based on human foibles. In general, they want a password they can easily remember that they THINK will be difficult for others to guess. But there are patterns people follow, nonetheless. And this makes determining other people's passwords a less random process than most people would like to believe.
How many people, for example, would consider using a random password generator that would use all 26 letters of the alphabet (upper and lower case), all 9 digits, and 32 non-alphanumeric characters to generate, say, a 17 character long password?
The answer to that is, of course, "darn few".
The answer to that is further reduced to "almost nobody ever" when you consider every site one logs into should have its own unique password, and the numbers of sites people these days routinely access. Several social media sites, various forums, subscription news sites, all kinds of entertainment sites, banking sites, multiple email sites, work computer access, etc.
The fact of the matter is most people pick something that's easy for them to remember. And further, they don't routinely change those passwords for EXACTLY that same reason. And because of this, vulnerabilities exist which others who understand this can exploit, even without the use of spyware.
Sure...it may take a lot of tries to obtain one valid password for a given person. But hackers are cultivating literally MILLIONS of potential victims. If they get just one password from one victim out of every 5,000...they have a toehold. Now they can futher refine their attempts using that one known good password (and maybe any patterns they recognize within it) on muliple websites for those people and discover who is using identical passwords for multiple sites.
Security is serious...but when you allow "convenience" to circumvent "security", then you increase your vulnerability.
This is why security in various sites (banking sites, for example) is multi-layered, with options you can use to your benefit. Multiple unsuccessful attempts may notify an account holder of an attempted hack and request verification or that you reset your password. Logging on from a different location/device may trigger a verification process such as a text to your registered phone for a verification number you must enter to complete the login process. Maybe a requirement to periodically change your password every 3 months.
It all boils down to this:
- Be smart about what you post.
- Be smart about selection and resetting of passwords.
- Take your security as serious as you would expect the sites you log into to do.
- At the first sign of any problems, immediately change your passwords...and do this across the board if there is even a HINT this could be used elsewhere (like if you use the same or similar password patterns in multiple sites).
For your internet buying transactions...consider the following practices to limit any damages if some sites ARE hacked:
- Use what I like to call an "internet credit card". For me, this is an intentionally low credit limit card (mine is $600) which you use to make the vast majority of your internet purchases. If it gets hacked, even if the credit card company should refuse to side with you on a dispute, the potential liability is seriously limited with a small credit limit...unlike using a credit card that can potentially be charged up tens of thousands of dollars.
- For all purchases from sites you don't expect to routinely make purchases from, make your purchases as a "guest" and don't create an account where you save your credit card info to their site.
- If you have accounts on websites which you really don't frequent for purchases any more...close those accounts. You can always buy as "guest", or maybe even create a new account at a later date.
- Change your passwords periodically. ESPECIALLY if a site is hacked.
- Cancel any credit cards or accounts which may have been compromised. Your financial institutions will be HAPPY to send you new credit cards if you even THINK yours may have been compromised. It's in their best interest to do so, too.
- Anything else that throws a monkey wrench in the works.
There are any number of other ways to increase your personal internet security in these matters. And each step you take is a very serious impediment to a hacker. Remember...out of the millions of potential victims, it's the easy ones most hackers are after. Simply make things more difficult and you will have improved your security standing quite significantly.