Facing charges that include money laundering and conspiracy against The United States, Paul Manafort surrendered himself to the FBI this Monday. Manafort is considered innocent of those charges until proven guilty in a court of law, of course, but he's already been found guilty of a pair of cyber security transgressions: choosing bad passwords and re-using those passwords with multiple accounts.
A security researcher who operates under the handle Krypt3ia got hold of a massive trove of data that included emails from Manafort himself. The source: a successful hack of his daughter's cell phone. A second researcher who spoke with Motherboard took Manafort's email address and started digging.
The address turned up in a few places -- notably the Adobe and Dropbox breaches that spilled details on 150 million and 68 million accounts respectively. The passwords associated with the Manafort accounts were encrypted, but the researcher was able to figure them out thanks to some painfully transparent password hints that were in the dump.
Manafort, it seems, had used the same password as some other Adobe users. Those users had set reminders like "secret agent" and "James Bond." With the help of a common security tool, the researcher quickly determined that "bond007" was the password.
Now, combining letters and numbers when you create a password is certainly a good idea. Those letters and numbers in that particular order, however... Not so much. It's also not a great practice to use a password that almost certainly isn't going to be unique.
Compounding his security woes: Manafort's email address and bond007 also appeared to be valid credentials for a Dropbox account. Hopefully, you're well aware by now that you should avoid re-using passwords at all costs. Doing so just makes it that much easier for cybercriminals to break into your accounts.
Security researchers have shown that people who do re-use passwords often do it more than once... so we may yet hear that bond007 unlocked other Manafort accounts, too.