A recent study published by researchers at the Stevens Institute of Technology has established a direct correlation between publicly shared social media information and compromised user passwords. The research analyzed a dataset of over 20 million breached credentials, revealing how attackers systematically leverage personal data to gain unauthorized account access.

The findings detail a method where malicious actors are no longer relying solely on common password lists. Instead, they are actively scraping public profiles for personal details to create highly customized wordlists, a technique the researchers have termed a social dictionary attack.

The Mechanism of Socially-Engineered Attacks

According to the report, automated tools are used to gather information that users freely share online. This includes data points such as the names of children, pets, and significant others, as well as key dates like anniversaries and birthdays. Hobbies, favorite sports teams, and even hometowns are also collected to build these targeted dictionaries.

These custom wordlists are then used in brute-force or dictionary-based attacks against user accounts. The study confirmed that this tailored approach significantly increases the success rate of password guessing compared to using generic, non-personalized password lists.

Quantifiable Risks from Personal Posts

The research provided specific metrics on the effectiveness of this attack vector. Analysis showed that passwords containing names of pets or family members found on a user’s public social media profile were 73% more likely to be present in the breached credential dataset. The study identified a direct link between users posting about their favorite sports team, ‘The Dragons,’ and the appearance of that team name in over 50,000 compromised passwords belonging to those individuals.

This evidence demonstrates that information perceived as harmless social sharing is being actively harvested and weaponized for credential stuffing and account takeover attacks. The research concludes that the line between public social life and private digital security has been effectively erased by these targeted methods.

Source: https://www.helpnetsecurity.com/2025/11/28/research-social-media-password-risk/