One Bad Password

He spent 24 years building his business. One bad password and a ransomware attack blew it to smithereens.

Fran Finnegan was on vacation in New York just before the Fourth of July weekend when he received a disturbing text message from one of his customers: How come his website was down?

Finnegan quickly searched out a computer to remotely examine his site, which provides access to millions of documents filed with the Securities and Exchange Commission.

There he discovered a disaster unfolding in front of his eyes in real time. Hackers had breached his site’s security and taken over. He watched helplessly as they encrypted all his files, placing them beyond reach.

How could this happen?

24 years ago, when Finnegan originally set up his business website, SEC Info, he gave himself administrative privileges so he could manage the system, and protected his access with a password. The password he used, however, was the same as the password he was using for his Yahoo email account.

That password was probably stolen in a massive hack in 2013 that also compromised the names, email addresses, phone numbers, birth dates and security questions and answers of 3 billion Yahoo account holders.

At the time, Yahoo advised its users to change the passwords on their Yahoo accounts, but Finnegan had long since forgotten that he had also used it as his administrative password.

“Had I remembered that I was using a password from 24 years ago,” he says, “I certainly would have changed it.”

As he later discovered, beginning on June 26 his hackers pinged his system 2.5 million times before they finally hit on the right password. He says the firewall logs established that the hacking originated in Russia.

The hackers were able to encrypt everything on his servers — not only the database of documents but also Finnegan’s email system and even his list of users and their contact information.

That means that once SEC Info is back in operation, he won’t be able to proactively inform his customers what happened — he’ll have to wait for them to get in touch with him — all 500,000 of them.

“I have to re-create everything, and that takes time. I hope it’s not more than a month, but there’s no way of knowing right now.”

How can you benefit from the unfortunate experience of Fran Finnegan?

☑️​ Use a Modern Password on every online account.

A password manager makes creating and using these kinds of passwords extremely easy.

☑️​ Use MFA (multi-factor authentication), like a YubiKey or authenticator app, for important or critical websites.

Make it tougher for the bad guys to cause havoc in your life or business.

You deserve to keep what you’ve earned.

Link to the LA Times article below:

— Anthony Collette

Scroll to Top