US Inc. said hackers accessed data, including birth dates and billing addresses, for about 37 million of its customers, the second major security lapse at the wireless company in two years.
The company said in a regulatory filing Thursday that it discovered the problem on Jan. 5 and was working with law-enforcement officials and cybersecurity consultants. T-Mobile said it believes the hackers had access to its data since Nov. 25 but that it has since been able to stop the malicious activity.
The cellphone carrier said it is currently notifying affected customers and that it believes the most sensitive types of records—such as credit card numbers, Social Security numbers and account passwords—weren’t compromised. T-Mobile has more than 110 million customers.
The company said its preliminary investigation indicates that data on about 37 million current postpaid and prepaid customer accounts was exposed. The company said hackers may have obtained names, billing addresses, emails, phone numbers, birth dates and account numbers. Information such as the number of lines on the account and plan features could have also been accessed, the company said.
“Some basic customer information (nearly all of which is the type widely available in marketing databases or directories) was obtained,” T-Mobile said in a statement. “No passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised.”
The company said its systems weren’t breached but someone was improperly obtaining data through an API, or application programming interface, that can provide some customer information. The company said it shut down the activity within 24 hours of discovering it.
The company’s investigation into the incident is ongoing. T-Mobile warned that it could incur significant costs tied to the incident, though it said it doesn’t currently expect a material effect on the company’s operations. The company is set to report fourth-quarter results on Feb. 1.
T-Mobile acknowledged a security lapse in 2021 after personal information regarding more than 50 million of its current, former and prospective customers was found for sale online. T-Mobile later raised its estimate and said about 76.6 million U.S. residents had some sort of records exposed.
A 21-year-old American living in Turkey claimed credit for the 2021 intrusion and said the company’s security practices cleared an easy path for the theft of the data, which included Social Security numbers, birth dates and phone-specific identifiers. T-Mobile’s chief executive later apologized for the failure and said the company would improve its data safeguards.
T-Mobile proposed paying $350 million to settle a class-action lawsuit tied to the 2021 hack. As part of the settlement, the company also pledged to spend $150 million for security technology in 2022 and this year.
Write to Will Feuer at Will.Feuer@wsj.com
Corrections & Amplifications T-Mobile US Inc. acknowledged a security lapse in 2021. An earlier version of this article incorrectly said it was last year. (Corrected on Jan. 19)
is planning to significantly expand its data-encryption practices, a step that is likely to create tensions with law enforcement and governments around the world as the company continues to build new privacy protections for millions of iPhone users.
The expanded end-to-end encryption system, an optional feature called Advanced Data Protection, would keep most data secure that is stored in iCloud, an Apple service used by many of its users to store photos, back up their iPhones or save specific device data such as Notes and Messages. The data would be protected in the event that Apple is hacked, and it also wouldn’t be accessible to law enforcement, even with a warrant.
While Apple has drawn attention in the past for being unable to help agencies such as the Federal Bureau of Investigation access data on its encrypted iPhones, it has been able to provide much of the data stored in iCloud backups upon a valid legal request. Last year, it responded to thousands of such requests in the U.S., according to the company.
With these new security enhancements, Apple would no longer have the technical ability to comply with certain law-enforcement requests such as for iCloud backups—which could include iMessage chat logs and attachments and have been used in many investigations.
Apple has added additional methods to help users recover their end-to-end encrypted data.
Photo:
Apple
The company said the security enhancements, which were announced Wednesday, are designed to protect Apple customers from the most sophisticated attackers.
“As customers have put more and more of their personal information of their lives into their devices, these have become more and more the subject of attacks by advanced actors,” said
Craig Federighi,
Apple’s senior vice president of software engineering, in an interview. Some of these actors are going to great lengths to get their hands on the private information of people they have targeted, he said.
The FBI said it was “deeply concerned with the threat end-to-end and user-only-access encryption pose,” according to a statement provided by an agency spokeswoman. “This hinders our ability to protect the American people from criminal acts ranging from cyberattacks and violence against children to drug trafficking, organized crime and terrorism,” the statement said. The FBI and law enforcement agencies need “lawful access by design,” it said.
A spokesman for the Justice Department declined to comment.
Former Western law-enforcement and intelligence officials said they were surprised by Apple’s decision in part because the company had refrained in the past from rolling out such encryption settings for iCloud. The officials said Apple would sometimes point authorities to the iCloud as a possible means of collecting information that could be useful for criminal investigations.
Ciaran Martin,
former chief of the U.K.’s National Cyber Security Centre, said the announcement by Apple could pose legal complications for the company in multiple democracies that in recent years have adopted or weighed restrictions on technology that can’t be responsive to law-enforcement demands.
“Things will only be clearer when further technical details are given,” Mr. Martin said. “But on the face of it, existing legislation in Australia and looming legislation in the U.K. would seem to give those governments the power to tell Apple in those countries effectively not to do this.”
Last year, Apple proposed software for the iPhone that would identify child sexual-abuse material on the iPhone. Apple now says it has stopped development of the system, following criticism from privacy and security researchers who worried that the software could be misused by governments or hackers to gain access to sensitive information on the phone.
SHARE YOUR THOUGHTS
What do you think about Apple’s new security feature? Join the conversation below.
Mr. Federighi said Apple’s focus related to protecting children has been on areas such as communication and giving parents tools to protect children in iMessage. “Child sexual abuse can be headed off before it occurs,” he said. “That’s where we’re putting our energy going forward.”
Apple released a feature in December 2021 called “Communication Safety” in Messages, which offers tools for parents that warn their children when they have received or attempt to send photos that contain nudity. The option is part of Apple’s “Screen Time” parental-controls software.
The new encryption system, to be tested by early users starting Wednesday, will roll out as an option in the U.S. by year’s end, and then worldwide including China in 2023, Mr. Federighi said.
“This development will prompt questions at home and abroad, including whether the government of China will really accept a loss of data access,” said Sumon Dantiki, a former senior FBI and Justice Department official who worked on cyber investigations and is now a partner at the King & Spalding law firm. U.S. officials have long pointed to China’s increasingly strict demands for access to data on companies that operate within its borders as a national-security concern.
In addition to Advanced Data Protection, Apple is also modifying its Messages app to make it harder for messages to be snooped on, and it will now allow users to log in to their Apple accounts with hardware-based security keys made by other companies such as Yubico.
Privacy groups have long called on Apple to strengthen encryption on its cloud servers. But because the Advanced Protection encryption keys will be controlled by users, the system will restrict Apple’s ability to restore lost data.
Apple has added additional methods to help users recover their end-to-end encrypted data.
Photo:
Uncredited
To set up Advanced Data Protection, users will have to enable at least one data-recovery method. This could be a recovery key—a long list of numbers and characters that users could print out and store in a secure location—or the user could assign a friend or family member as a recovery contact.
Over the past two decades, businesses and consumers have moved much of their data off computer systems that they control and onto the cloud—data centers filled with servers that are operated by large technology companies. That trend has made these cloud systems an attractive target for cyber intruders.
Mr. Federighi said that Apple isn’t aware of any customer data being taken from iCloud by hackers but that the Advanced Protection system will make things harder for them. “All of us in the industry who manage customer data are under constant attack by entities that are attempting to breach our systems,” he said. “We have to stay ahead of future attacks with new protections.”
As Apple has locked down its systems, governments worldwide have become increasingly interested in the data stored on phones and cloud computers. That interest has led to friction between Apple and law-enforcement agencies, along with a growing market for iPhone hacking tools. In 2020, Attorney General
William Barr
pressured Apple for a way to crack the iPhone’s encryption to help with a terror investigation into a shooting that killed three people at a Florida Navy base.
Newsletter Sign-up
Tech Things With Joanna Stern
Everything is now a tech thing. Columnist Joanna Stern is your guide, giving analysis and answering your questions about our always-connected world.
Advanced Protection will reduce the amount of iCloud information that Apple can provide to law-enforcement agencies, who frequently request iPhone data from Apple as part of their investigations. Apple received requests for information on 7,122 Apple accounts from U.S. authorities in the first six months of 2021, the last period for which the company has provided information.
Apple had already offered end-to-end encryption for some of its services, but the protection will now extend to 23 services, including iPhone backups and Photos. However, three services—Mail, Contacts and Calendar—won’t qualify for Advanced Protection because they use older technology protocols, Mr. Federighi said.
Mr. Federighi said Apple believes it shares the same mission as law enforcement and governments: keeping people safe. If sensitive information were to get in the hands of an attacker, a foreign adversary or some other bad actor, it could be disastrous, he said.
“We’re giving users the option to keep that key only on their devices, which means that even if an attacker were to successfully breach the cloud and access all that data, it would be nonsense to them,” Mr. Federighi said. “They’d lack the key to decrypt it.”
Federal prosecutors are investigating whether short-sellers conspired to drive down stock prices by sharing damaging research reports ahead of time and engaging in illegal trading tactics, people familiar with the matter said.
The U.S. Justice Department has seized hardware, trading records and private communications in an effort to prove a wide-ranging conspiracy among investors who bet against corporate shares, the people said. One tactic under investigation is “spoofing,” an illegal ploy that involves flooding the market with fake orders in an effort to push a stock price up or down, they said. Another is “scalping,” where activist short-sellers cash out their positions without disclosing it.
was the target of a hack that accessed emails and documents of some employees, including journalists, an incursion the company’s cybersecurity consultant said was likely meant to gather intelligence to benefit China’s interests.
The attack, discovered on Jan. 20, affected a number of publications and business units including The Wall Street Journal and its parent Dow Jones; the New York Post; the company’s U.K. news operation; and News Corp headquarters, according to an email the company sent to staff Friday.
News Corp said it notified law enforcement and hired cybersecurity firm Mandiant Inc. to support an investigation.
“Mandiant assesses that those behind this activity have a China nexus, and we believe they are likely involved in espionage activities to collect intelligence to benefit China’s interests,” said David Wong, vice president of incident response at Mandiant.
News Corp disclosed the hack in a securities filing Friday, saying its preliminary analysis indicates that data was taken.
Representatives for the Chinese Embassy in Washington didn’t immediately respond to requests for comment.
News Corp said in the memo to staff it believes the threat activity is contained. The company has been offering guidance to affected employees.
“We are committed to protecting our journalists and sources. We will not be deterred from our purpose—to provide uniquely trusted journalism and analysis. We will continue to publish the important stories of our time,” said Almar Latour, chief executive of Dow Jones and publisher of The Wall Street Journal.
The company’s investigation indicates that systems housing financial and customer data, including subscriber information, weren’t affected, according to the securities filing and a person familiar with the matter.
Law-enforcement officials and cybersecurity experts say that journalists are often high-priority targets for hackers seeking to gain intelligence on behalf of foreign governments, because they speak to sources who might have valuable or sensitive information. Powerful surveillance tools have been used against journalists and human-rights activists.
U.S. authorities have accused China-based hackers for years of targeting a range of American businesses and government institutions. FBI Director Christopher Wray said this week that Beijing is running a “massive, sophisticated hacking program that is bigger than those of every other major nation combined.” The FBI has more than 2,000 active investigations related to allegations of Chinese-government-directed theft of U.S. information or technology, Mr. Wray said.
China has repeatedly denied allegations that it has carried out cyberattacks.
In 2013, Chinese hackers trying to monitor news coverage of China hacked into the Journal’s network, apparently aiming to spy on reporters covering China and other issues, the Journal reported. The New York Times had experienced a similar attack. At the time, a Chinese embassy spokesman condemned allegations of Chinese cyberspying and said Beijing prohibits cyberattacks.
In February 2020, China revoked the press credentials of three Journal reporters based in Beijing. China’s Foreign Ministry said the move was punishment for an opinion piece published by the Journal. The three journalists work for the Journal’s news operation, which operates with a strict separation from the opinion staff.
The following month, the Trump administration announced a personnel cap in the U.S. on four state-run Chinese media outlets. Later that March, China expelled from the country American journalists from multiple news organizations, including the Journal.
In November 2021, each country agreed to ease visa restrictions for the other’s reporters. The Journal was among a handful of U.S. outlets set to receive new press credentials for some staff.
Write to Alexandra Bruell at alexandra.bruell@wsj.com and Sadie Gurman at sadie.gurman@wsj.com
WASHINGTON—The Biden administration on Wednesday issued a sweeping new order mandating that nearly all federal agencies patch hundreds of cybersecurity vulnerabilities that are considered major risks for damaging intrusions into government computer systems.
The new requirement is one of the most wide-reaching cybersecurity mandates ever imposed on the federal government. It covers about 200 known security flaws identified by cybersecurity professionals between 2017 and 2020 and an additional 90 discovered in 2021 alone that have generally been observed being used by malicious hackers. Those flaws were listed in a new federal catalog as carrying “significant risk to the federal enterprise.”
Leaked data this week from the streaming platform Twitch Interactive revealed that some people can make six-figure monthly incomes from playing videogames in front of a live online audience.
A user of the online chat forum 4chan claimed to have access to the payout information, and several people who called themselves Twitch streamers said many of the figures were consistent with what they had earned. Others said the figures didn’t paint a full picture of their earnings, in part because they didn’t appear to take into account what they make when streaming as part of a group or from third parties.
Twitch broadcasters’ earnings and other company information that was claimed to have been accessed were made public Wednesday. The 4chan user posted the information there to hurt the Amazon.com Inc. unit’s business, the user wrote.
Twitch confirmed a data leak but declined to comment on what information was accessed.
Such data hasn’t been disclosed by Twitch, which was founded in 2011 and acquired by Amazon in 2014 for $970 million in cash. Though the platform is best known for its videogame streamers, many others broadcast themselves playing tabletop games and music, making crafts, exercising and more. One of its most popular categories is called Just Chatting, where streamers discuss all sorts of topics.
Last month, people spent 1.7 billion hours watching Twitch, which is up more than 20% from a year earlier, according to StreamElements, a provider of tools and services for content creators.
The leak announced on 4chan identifies streamers’ monthly revenue-sharing payments from Twitch since August 2019. Last month alone, a videogame streamer in Canada earned approximately $705,000 from the platform, while a group of Dungeons & Dragons players brought in roughly $311,000.
Twitch streamers typically generate revenue from paid subscriptions to their channels and through the platform’s ad-sharing program, which requires certain viewer metrics. For the most popular streamers, Twitch may cut special deals to prevent them from streaming on competing services.
Separately, some Twitch streamers earn income from viewer tips through third-party services as well as sponsorship agreements with brands such as State Farm Insurance. And large videogame publishers, including Electronic Arts Inc. and Activision Blizzard Inc., pay popular Twitch streamers tens of thousands of dollars apiece to play their latest releases on launch day.
Tanya DePass, a 48-year-old Twitch streamer in Chicago who is sponsored by videogame-accessories maker Logitech G, said the data leak is “wildly inaccurate” for those reasons. Further, she said her Twitch earnings vary greatly from month to month. In June 2020, her channel blew up in popularity, which resulted in her receiving her biggest paycheck ever from Twitch a month later.
Ms. DePass, who is Black, attributed the jump to a sudden interest among viewers in Black streamers in response to the murder of George Floyd, a Black man whose 2020 death in police custody was captured on video that went viral. “Anger over George Floyd’s murder mobilized folks to realize we exist,” she said.
Ms. DePass streams herself playing videogames and tabletop games for 10 to 25 hours a week under the name Cypheroftyr. She said she was frustrated by the leak because she thinks it gives people the false impression that streaming is an easy way to make lots of money. In reality, she said it takes a lot of work to promote her channel, keep viewers constantly engaged and handle administrative tasks. Ms. DePass also has had to grapple with racist and sexist taunts. “It’s just exhausting,” she said.
The 4chan user who allegedly posted the Twitch data labeled it “part one,” suggesting there might be more to come.
—Kevin Poulsen contributed to this article.
Write to Sarah E. Needleman at sarah.needleman@wsj.com
At least 60 Afghans and four U.S. Marines were killed in explosions at the Kabul airport, as two blasts ripped through crowds trying to enter the American-controlled facility on Thursday, disrupting the final push of the U.S.-led evacuation effort.
The U.S. envoy in Kabul told embassy staff there that four U.S. Marines were killed in the attack at the city’s airport and three wounded, a U.S. official with knowledge of the briefing said. A senior Afghan health official put the death toll among local civilians at 60, with many more fighting for their lives.
Those were the first U.S. military combat fatalities in Afghanistan since February 2020, when the Trump administration and the Taliban signed in Doha, Qatar, an agreement on withdrawing American troops.
The number of U.S. casualties is expected to rise.
At the time of the attack, approaches to the airport’s gates were packed by thousands of Afghans who feared persecution by the Taliban because they had assisted U.S.-led coalition efforts in the country over the past two decades. While no group claimed immediate responsibility, Western governments warned earlier Thursday of an imminent attack by Islamic State’s regional affiliate.
The breach of T-Mobile US Inc. allowed hackers to steal information about more than 54 million people and potentially sell the data to digital fraudsters and identity thieves.
Here is what we know about the hack, which data was stolen and what customers should do to protect themselves.
What was the T-Mobile data breach?
T-Mobile said it learned late last week that an individual in an online forum claimed to have breached its systems and was attempting to sell stolen customer data. The company confirmed on Aug. 16 that it was hacked, later adding that attackers made off with personal data from 54 million people. Those victims include 7.8 million current postpaid customers, T-Mobile said, and about 46 million former and prospective customers who applied for plans.
While U.S. officials have warned of an uptick in ransomware attacks in recent months, T-Mobile’s hackers didn’t lock up the company’s systems and demand payment. Instead, attackers broke into the company’s servers through an open access point, stole data and have since tried to sell different sets of the information online for between $80,000 and $270,000 worth of bitcoin.
The attack is the latest and most severe in a string of cybersecurity incidents at the company, said Allie Mellen, a cybersecurity analyst at research firm Forrester Inc.
WASHINGTON—The Biden administration Monday publicly blamed hackers affiliated with China’s main intelligence service for a far-reaching cyberattack on Microsoft Corp. email software this year, part of a global effort to condemn Beijing’s malicious cyber activities.
In addition, four Chinese nationals, including three intelligence officers, were indicted over separate hacking activity.
The U.S. government has “high confidence” that hackers tied to the Ministry of State Security, or MSS, carried out the unusually indiscriminate hack of Microsoft Exchange Server software that emerged in March, senior officials said.
“The United States and countries around the world are holding the People’s Republic of China (PRC) accountable for its pattern of irresponsible, disruptive, and destabilizing behavior in cyberspace, which poses a major threat to our economic and national security,” Secretary of State
Antony Blinken
said. The MSS, he added, had “fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain.”
The U.K. and European Union joined in the attribution of the Microsoft email hack, which rendered an estimated hundreds of thousands of mostly small businesses and organizations vulnerable to cyber intrusion. But the public shaming did not include punitive measures, such as sanctions or diplomatic expulsions, a contrast with how the administration recently punished Russia for a range of alleged malicious cyber activity.
The U.S.-led announcement is the most significant action from the Biden administration to date concerning China’s yearslong campaign of cyberattacks against the U.S. government and American companies, often involving routine nation-state espionage and the theft of valuable intellectual property such as naval technology and coronavirus-vaccine data.
The Microsoft hack made an estimated hundreds of thousands of mostly small businesses and organizations vulnerable to cyber intrusion.
Photo:
Steven Senne/Associated Press
The Justice Department made public Monday a grand jury indictment from May that charged four Chinese nationals and residents working with the Ministry of State Security of being engaged in a hacking campaign from 2011 to 2018 intended to benefit China’s companies and commercial sectors by stealing intellectual property and business information. The indictment didn’t appear directly related to the Microsoft Exchange Server breach, but accused the hackers of stealing information from companies and universities about Ebola virus research and other topics to benefit the Chinese government and Chinese companies.
Attributing the Microsoft hack to China was part of a broader global censure Monday of Beijing’s cyberattacks by the U.S., the European Union, the U.K., Canada, Australia, New Zealand, Japan and the North Atlantic Treaty Organization, or NATO. While statements varied, the international cohort generally called out China for engaging in harmful cyber activity, including intellectual property theft. Some accused the MSS of using criminal contractors to conduct unsanctioned cyber operations globally, including for their own personal profit.
U.S. authorities have accused China of widespread hacking targeting American businesses and government agencies for years. China has historically denied the allegations. A spokesman for the Chinese Embassy in Washington didn’t immediately respond to a request for comment.
The Exchange Server hack was disclosed by Microsoft in March alongside a software patch to fix the bugs being exploited in the attack. Microsoft at the time identified the culprits as a Chinese cyber-espionage group with state ties that it refers to as Hafnium, an assessment that was supported by other cybersecurity researchers. The Biden administration hadn’t offered attribution until now, and is essentially agreeing with the conclusions of the private sector and providing a more detailed identification.
The attack on the Exchange Server systems began slowly and stealthily in early January by hackers who in the past had targeted infectious-disease researchers, law firms and universities, according to cybersecurity officials and analysts. But the operational tempo appeared to intensify as other China-linked hacking groups became involved, infecting thousands of servers as Microsoft worked to send its customers a software patch in early March.
Also on Monday, the National Security Agency, Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency jointly published technical details of more than 50 tactics and techniques favored by hackers linked to the Chinese government, the official said. The release of such lists is common when the U.S. exposes or highlights malicious hacking campaigns and is intended to help businesses and critical infrastructure operators better protect their computer systems.
“
‘Failure to sanction any PRC-affiliated actors has been one of the most prolific and baffling failures of our China policy that has transcended administrations.’ ”
— Dmitri Alperovitch, Silverado Policy Accelerator
Cybersecurity experts have been pressing the Biden administration for months to respond to China’s alleged involvement in the Microsoft email hack. Cybersecurity expert
Dmitri Alperovitch,
with the Silverado Policy Accelerator think tank, said the coordinated global condemnation of China was a welcome and overdue development.
“The Microsoft Exchange hacks by MSS contractors is the most reckless cyber operation we have yet seen from the Chinese actors—much more dangerous than the Russian
SolarWinds
hacks,” said Mr. Alperovitch, referring to the widespread cyber-espionage campaign detected last December that, along with other alleged activities, prompted a suite of punitive measures against Moscow.
Mr. Alperovitch criticized the lack of any sanctions being levied against China and said it raised questions about why Beijing appeared to be evading harsher penalties, especially compared with those slapped on Russia.
“Failure to sanction any PRC-affiliated actors has been one of the most prolific and baffling failures of our China policy that has transcended administrations,” Mr. Alperovitch said, referring to the People’s Republic of China. Monday’s public shaming without further punishment “looks like a double standard compared with actions against Russian actors. We treat China with kid gloves.”
The senior administration official said the Biden administration was aware that no single action was capable of changing the Chinese government’s malicious cyber behavior, and that the focus was on bringing countries together in a unified stance against Beijing. The list of nations condemning China on Monday was “unprecedented,” the official said, noting it was the first time NATO itself had specifically done so.
Newsletter Sign-up
Capital Journal
Scoops, analysis and insights driving Washington from the WSJ’s D.C. bureau.
“We’ve made clear that we’ll continue to take actions to protect the American people from malicious cyber activity, no matter who’s responsible,” the official said. “And we’re not ruling out further actions to hold the PRC accountable.”
The new indictment said that members of a provincial branch of China’s intelligence service in the southern Hainan Province created a front company that described itself as an information security company and directed its employees to hack dozens of victims in the U.S., Austria, Cambodia and several other countries.
The defendants, three of whom are described as intelligence officers, aren’t in U.S. custody. Some cybersecurity experts have said indictments against foreign state-backed hackers often have little impact, because the accused are rarely brought before an American courtroom. U.S. officials have defended the practice, saying it helps convince allied governments, the private sector and others about the scope of the problem.
The group is accused of hacking into dozens of schools, companies, and government agencies around the world, ranging from a research facility in California and Florida focused on virus treatments and vaccines, to a Swiss chemicals company that produces maritime paints, to a Pennsylvania university with a robotics engineering program and the National Institutes of Health, to two Saudi Arabian government ministries. The companies and universities aren’t named in the indictment.
The hackers allegedly used fake spear-phishing emails and stored stolen data on GitHub, the indictment said. They coordinated with professors at a Chinese university, including to identify and recruit hackers for their campaign, it said. The alleged NIH breach dates to August 2013, the indictment said.
The Microsoft Hack
More WSJ coverage of Exchange Server cyberattack, selected by the editors.
Write to Dustin Volz at dustin.volz@wsj.com and Aruna Viswanatha at Aruna.Viswanatha@wsj.com
With ransomware attacks on the rise—and compromised passwords to blame for some of the hackings—there’s no better time to review your personal security practices.
It all starts with how you create and store passwords.
You may have read a thing or two about password managers, perhaps in my previous column on the subject.
This software can create strong randomized passwords, then remember them for you, and they can auto-fill credentials, simplifying the login process. Having unique passwords is critical to your online security: Around 25% of security breaches in 2020 involved the use of stolen usernames and passwords, according to a Verizon report published in May.
