Last week, Twitter asked users to reset their password as a precaution, after they found a bug in how they stored passwords.
The social platform is far from alone. In March, MyFitnessPal, a diet and fitness app owned by Under Armor, revealed that data from 150 million user accounts had been compromised, which may include scrambled passwords.
For years, cybersecurity experts have warned about needing to move away from passwords, which many people reuse across accounts, leaving them vulnerable to hackers.
"The average person has probably more than 100 accounts online that they've got to maintain a password with," said Caleb Barlow, an IBM Security vice president. said Caleb Barlow, an IBM Security vice president.
"What ultimately happens is everybody comes up with some sort of schema and they end up reusing these passwords site after site after site," he said. "The challenge with that is once one site is breached and that password becomes available, it doesn't take much for the bad guys to pivot to the next site, and try the same user ID and password."
The average person uses between eight and 12 passwords, according to Charles Henderson, a global managing partner with IBM Security's X-Force Red, a team which companies pay to test their security.
"We knew passwords were a bad idea 20 years ago. Yet, here we are today," Henderson said.
Henderson's team at IBM built a special machine called Cracken that can crack passwords up to 14 characters in under 5 minutes. The technology is similar to what cyber criminals use.