In this issue:

• Breached passwords

• Instagram clarifies password resets

• Data breaches this week

Breached passwords

My husband's CreditKarma account was taken over a few weeks ago.

We had each set up our accounts years ago when we wanted to see our credit history before purchasing a house. My husband used a password that he frequently used on multiple sites. One of those other websites had a security breach where the email addresses and passwords were stolen.

Hackers have automated tools that try those emails and passwords across thousands of sites in order to break in. They were successful logging in to CreditKarma with one of his email addresses and a password he used in multiple places.

Luckily he was notified by CreditKarma about the password reset, so he used the chat feature on the official Credit Karma website and they were able to delete his account completely.

Every year we get a fresh reminder that attackers do not need movie-style hacking. They just need us to keep doing what humans do when we are tired, busy, or trying to get through a signup screen as fast as possible.

When I saw the password he had saved into our password manager, I was in shock. It was an extremely "weak" password of four characters and four numbers and he used it in many places but I didn't know it was on a website that has all our credit history (but luckily our credit is frozen as I recommended in this article).

The practical outcome is simple: if a password is common, short, or reused, it is not a lock. It is a speed bump.

Most people are not defending one account. They are defending dozens. When one site leaks login data, attackers try the same email and password everywhere else. That is credential stuffing, and it is why “I only use that password on one site” is a statement worth verifying, not assuming.

According to NordPass’s 2025 analysis, “123456” continues to show up as the world’s most common password, and that is not a quirky trivia fact. A GovTech summary of 2025 data points to “admin” as the most common password in the U.S., followed closely by classics like “password” and number sequences (“123456”, “12345678”, “123456789”).

You do not need superhero-level memory. You need better defaults.

1) Use a password manager for the heavy lifting.
Let it generate long, random passwords for accounts you rarely type (shopping sites, forums, airline accounts, subscriptions). Read more about password managers in my article here.

2) For the passwords you must type, use passphrases.
A long passphrase (several unrelated words) is easier to remember and harder to crack than “Summer2025!” style passwords.

3) Turn on multi-factor authentication, but pick the stronger options.
Or move to passkeys as I explained in this article when a service offers them.

4) Fix the “top five” accounts first.
If you only do one thing today, do it where it matters most:

• Email (because it resets everything else)

• Financial accounts

• Mobile carrier account (SIM swap risk)

• Cloud storage and photo backups

• Primary social accounts

Passwords are not going away overnight, but the “passwords as your only line of defense” era is ending. The safest move is to assume attackers can guess what humans guess, then build your logins so guessing stops working.

Instagram clarifies password resets

Did you get an Instagram password reset email this week? If yes, it might have been the real thing.

Recently, many Instagram users were surprised to find password reset emails in their inboxes even though they had not asked for one. This unexpected surge of messages sparked widespread concern that the platform might have suffered a data breach or compromise. However, Instagram has now issued clear guidance to help users understand what happened and how to respond safely.

According to Instagram’s latest update, receiving a reset email does not mean that your account has been hacked. The company says that a technical issue allowed a third party to trigger password reset messages, but emphasized that there was no breach of its systems and that user accounts remain secure. The problem has since been fixed. Users who received these emails can ignore them if they did not initiate the request.

To help users distinguish legitimate emails from scams, Instagram’s clarification explains how to identify real security messages. Official password reset notifications typically come from addresses ending in @mail.instagram.com. Because display names can be spoofed, checking the full sender address in the email header is an important step in verifying authenticity before taking any action.

Or more simply, if you didn't request a password reset, delete the email.

As a precaution, Instagram recommends that users enable multi-factor authentication, use strong and unique passwords, and regularly review their account security settings. These practices help protect against unauthorized access regardless of whether the trigger for a reset email was a mistake, a bug, or an external attempt to compromise an account.

Data breaches this week

Most of the time these will be companies that you don’t have any personal data with, but scan the names to make sure you aren’t affected.

• Central Maine Healthcare: 145k patients: Central Maine Healthcare Data Breach Impacts 145,000 Individuals

• Eurail travel company: Undisclosed: Traveler Information Stolen in Eurail Data Breach

Do you have an idea for a future newsletter? Please reply to this email and let me know.

Thank you so much!

Sincerely,
Cassie Crossley
Founder, Cyber Safe Center
https://www.cybersafecenter.com