One Bad Password vs. A 24-Year-Old Business

He spent 24 years building his business. One bad password and a ransomware attack blew it to smithereens.

Author

Anthony Collette
July 08, 2025 • Estimated Reading Time: 5 minutes

Happy Tuesday!

Today, I share an article from 2021 about Fran Finnegan, whose business data was stolen and locked down for a ransom to be paid in cryptocurrency.

What happened to Fran isn’t fair. And ransomware attacks have been on the rise since it happened in 2021.

We as a society need to tell cybersecurity stories more persuasively to a much wider audience.

By retelling this cyber story and amplifying this message, business owners may be encouraged to take impactful action.

Cybersecurity is a form of wealth, and all of us deserve to keep what we’ve earned.

— Anthony Collette
Founder, Loistava Information Security

He spent 24 years building his business. One bad password and a ransomware attack blew it to smithereens.

Fran Finnegan was on vacation in New York just before the Fourth of July weekend when he received a disturbing text message from one of his customers: How come his website was down?

Finnegan quickly searched out a computer to remotely examine his site, which provides access to millions of documents filed with the Securities and Exchange Commission.

There he discovered a disaster unfolding in front of his eyes in real time. Hackers had breached his site’s security and taken over. He watched helplessly as they encrypted all his files, placing them beyond reach.

How could this happen?

24 years ago, when Finnegan originally set up his business website, SEC Info, he gave himself administrative privileges so he could manage the system, and protected his access with a password. The password he used, however, was the same as the password he was using for his Yahoo email account.

That password was probably stolen in a massive hack in 2013 that also compromised the names, email addresses, phone numbers, birth dates and security questions and answers of 3 billion Yahoo account holders.

At the time, Yahoo advised its users to change the passwords on their Yahoo accounts, but Finnegan had long since forgotten that he had also used it as his administrative password.

“Had I remembered that I was using a password from 24 years ago,” he says, “I certainly would have changed it.”

As he later discovered, beginning on June 26 his hackers pinged his system 2.5 million times before they finally hit on the right password. He says the firewall logs established that the hacking originated in Russia.

The hackers were able to encrypt everything on his servers — not only the database of documents but also Finnegan’s email system and even his list of users and their contact information.

That means that once SEC Info is back in operation, he won’t be able to proactively inform his customers what happened — he’ll have to wait for them to get in touch with him — all 500,000 of them.

“I have to re-create everything, and that takes time. I hope it’s not more than a month, but there’s no way of knowing right now.”

How can you benefit from the unfortunate experience of Fran Finnegan?

☑️​ Use a Modern Password on every online account.

A password manager makes creating and using these kinds of passwords extremely easy.

☑️​ Use MFA (multi-factor authentication), like a YubiKey or authenticator app, for important or critical websites.

Make it tougher for the bad guys to cause havoc in your life or business.

You deserve to keep what you’ve earned.

Join us

Weekly resources to help keep you safer online — protecting you from hackers, online scammers, and other Digital Kleptomaniacs™.

No spam. No selling your email. Just factual, actionable information once a week, from people who truly care about online security.  You can unsubscribe any time — but we hope you’ll want to stay with us on this journey.

Cybersecurity is a modern form of wealth, and you deserve to keep what you've earned.

Looking forward to connecting again next week.

— Anthony Collette

Digital Kleptos™

Reply

or to participate.