2021 broke records for data breaches by September 30, with additional breaches in the late autumn and winter furthering the year's high amount of cybersecurity incidents.

In response, Dashlane announced its sixth annual list of 2021’s Worst Password Offenders, chronicling organizations whose password mishaps led to severe cybersecurity issues.


A leaked password led to the high-profile breach of Solarwinds. In February 2021, current and former SolarWinds execs reported that an intern had used the password "solarwinds123," which was revealed online.


The Compilation of Many Breaches (COMB) is the result of an online hacking forum posting over three billion unique emails and passwords gathered from past leaks at Netflix, LinkedIn, Bitcoin and more. With 4.7 billion people online, COMB included the data of nearly 70% of global internet users.


After an international hacker collective breached its systems with a username and password found on the internet, they accessed Verkada customer cameras, which ranged from Tesla’s factories and warehouses to Equinox gyms, hospitals, jails and schools.

Further breaches included in the list are:

  • RockYou2021: A forum user posted a massive 100 GB TXT file that contained 8.4 billion passwords.
  • Facebook: 533 million Facebook users were exposed in this data breach.
  • Ticketmaster: Employees utilized unlawfully obtained passwords to hack a rival company’s computer systems. The ticket sales and distribution company paid a $10 million fine from the hack.
  • GoDaddy/WordPress: In 2021, the data of up to 1.2 million of its customers was exposed after hackers gained access to the company's managed WordPress hosting environment.
  • ActMobile Networks: ActMobile Networks, which operates several VPN brands, continues to deny the compromise of 45 million user records that included email addresses, encrypted passwords, full name and username; 281 million user device records including IP address, county code, device and user ID; and 6 million purchase records including the product purchased and receipts.
  • DailyQuiz.me: 8.3 million user credentials were stolen in a cyberattack. The attackers exfiltrated the site’s database, which was then offered for sale on underground forums and Telegram channels. The database contents include plaintext passwords, emails and IP addresses. 
  • New York City Law Department: New York City’s Law Department holds some of the city’s most closely guarded secrets: evidence of police misconduct, the identities of young children charged with serious crimes, plaintiffs’ medical records and personal data for thousands of city employees. But all it took for a hacker to infiltrate the 1,000-lawyer agency’s network in June was one worker’s stolen email password.

For further insights on password security, visit Dashlane's midyear report.