• These are 2019’s “worst password offenders,” according to the password manager Dashlane, which compiled a list of high-profile data-security missteps from the past year.
  • Facebook, Google, and WeWork made the list for mistakes that resulted in passwords being left exposed.
  • The actress Lisa Kudrow also made the list for accidentally posting a photo on Instagram of her password written on a sticky note.
  • Visit Business Insider’s homepage for more stories.

2019 was a messy year in cybersecurity, with data breaches on the rise and hackers finding new ways to exploit weak passwords.

The vast majority of breaches are due to human error. To commemorate some of the most egregious cybersecurity errors of the past year, the password manager Dashlane published a list on Tuesday of 2019’s “worst password offenders.”

Multibillion-dollar tech giants like Facebook, Google, and WeWork made the list for security breaches that affected thousands of users, while celebrities like Ellen DeGeneres and Lisa Kudrow were featured for high-profile password flubs.

Keeping good password habits can feel inconvenient, but taking just a few straightforward steps can prevent your accounts from becoming low-hanging fruit for hackers.

Here's who made Dashlane's list of the year's worst password offenders, along with the stories behind their password infamy.

10. People named Ashley

Foto: Ashley Tisdale.sourceGustavo Caballero/Getty Images

Your password should never be a single, easily guessed word, especially one traceable to your identity. For that reason, using a first name as a password is a huge security mistake/

That didn't stop 432,276 people from using "Ashley" as their password, a study published by the UK's National Cyber Security Center in April found. "Ashley" was the most common name password, followed by "Michael," "Daniel," and "Jessica."

9. Ellen DeGeneres

Foto: sourceAssociated Press

The "Ellen" host's official Instagram account was hacked in August, and hackers used it to promote fake giveaways, according to Deadline.

In a joking tweet, DeGeneres said hackers guessed that her account password was "password."

8. Shenzhen i365 GPS trackers

Foto: sourceGPS.gov

More than 600,000 GPS trackers sold by the Chinese company Shenzhen i365 Tech on Amazon and other e-commerce sites had major security vulnerabilities, Avast found. The GPS trackers, which were marketed to parents who wanted to keep track of their kids, came with the default password "123456" - any hackers who could guess the password could remotely log in to the devices and lock owners out.

7. Virgin Media

Foto: sourceOli Scarff/Getty Images

When a cybersecurity researcher was trying to reset his Virgin Media password earlier this year, he found that Virgin sent his password in plain text via email - a startlingly unsecure way to communicate passwords without encryption.

After he notified Virgin of the vulnerability on Twitter, Virgin's official account seemed to brush off the complaint:

"Yes, because criminals don't break laws, right?" Matthew Hughes quipped in an article for The Next Web. "By that logic, why should I lock my front door? After all, burglary is illegal."

6. Elsevier

Foto: sourceAssociated Press

A cybersecurity researcher found that Elsevier, which publishes scientific and medical journals, had stored people's usernames and passwords in plain text on an unprotected server on its website, meaning anyone who found the page could instantly access the passwords.

The company told Vice that the exposure was due to human error and that it would notify all parties affected.

5. WeWork

Foto: sourceReuters

The embattled real-estate startup used one password for its entire global WiFi network, Fast Company reported. The outlet didn't disclose what the password was but noted that it "has regularly appeared on lists of the worst passwords that anyone can possibly choose." Fast Company said WeWork declined its request for comment.

4. Republican Rep. Lance Gooden of Texas

Foto:

Change Passcode Now

Watch and share Technology GIFs and Politics GIFs on Gfycat

During Mark Zuckerberg's testimony before the House of Representatives in October, footage caught Gooden entering his phone password, which appeared to be "777777."

Gooden addressed the footage on Twitter, joking that he has the same password practices as Kanye West, who appeared to input "000000" as his iPhone password during a White House meeting with President Donald Trump.

3. Lisa Kudrow

Foto: sourceInstagram / Lisa Kudrow

The "Friends" star went mildly viral in May when she posted a selfie with her computer. The post was meant to show off a Deadline article about her next role, but it included a sticky note with her password written in pen.

After fans pointed out the mistake, Kudrow removed the post. She later made a similar, joking post featuring a sticky note displaying her "new password."

http://instagr.am/p/Bx0GrHPHLDb

2. Google

Foto: sourceReuters

Google announced in May that it had stored some G Suite users' passwords in unencrypted plain text since 2005.

"'Accidents' like this have major implications for platforms and their users; breaches can go undetected for years, so you never know when an account might have been exposed," Dashlane wrote in its post naming Google the second-worst password offender of 2019.

In a blog post, Google apologized for failing to "live up to our own standards."

1. Facebook

Foto: sourceReuters

Dashlane cited three incidents that placed Facebook at the top of its "worst offenders" list.

In March, Facebook admitted that it stored hundreds of millions of passwords in plain text. In April, the company said it had harvested users' contacts without their consent. In September, Facebook acknowledged a separate instance of exposing users' phone numbers.

"For a company under increasing scrutiny for how it handles (or mishandles) user data and security, it sure needs a poke in the ribs," Dashlane said.