The biggest password flubs of 2019, from Facebook's stolen hard drives to Lisa Kudrow's Instagram

The "Ellen" host's official Instagram account was hacked in August, and hackers used it to promote fake giveaways, according to Deadline. In a possibly-joking tweet, DeGeneres wrote that hackers likely guessed her account password, which was "password."

My Instagram account was hacked last night (despite my clever password “password”). We apologize, and we thank everyone who brought it to our attention. I’m going back to sleep now.

More than 600,000 GPS trackers sold by the Chinese company Shenzen i365 on Amazon had major security vulnerabilities, Avast found. The GPS trackers were marketed to parents to keep track on their kids, but all the trackers came with a default password "123456" — any hackers who could guess the password could remotely log into users devices and lock owners out.

When a cybersecurity researcher was trying to reset his Virgin Media password earlier this year, he found that Virgin sent his password in plain text via email — a startlingly unsecure way to communicate passwords without encryption. After he notified Virgin of the vulnerability on Twitter, Virgin's official Twitter account responded with a Tweet that seemed to brush off the complaint:

"Yes, because criminals don't break laws, right?" Matthew Hughes quipped in The Next Web. "By that logic, why should I lock my front door? After all, burglary is illegal."

Posting it to you is secure, as it's illegal to open someone else's mail. ^JGS

A cybersecurity researcher found that Elsevier, which publishes scientific and medical journals, had stored people's usernames and passwords in plain text on an unprotected server on their website, meaning anyone who found the page could instantly access the passwords. The company told VICE that the exposure was due to human error and that it would notify all parties affected.

The embattled real-estate startup reportedly used a single password for its entire global WiFi network, according to Fast Company. The outlet didn't disclose what the password was, but noted that it "has regularly appeared on lists of the worst passwords that anyone can possibly choose." WeWork reportedly declined Fast Company's request for comment.

During Mark Zuckerberg's testimony before the House of Representatives in October, footage from the chamber caught Texas Republican Lance Gooden entering his phone password, which appears to be "777777."

Gooden addressed the footage on Twitter, joking that he has the same password practices as Kanye West, who appeared to input "000000" as his iPhone password during a White House meeting with President Trump.

Watch and share Technology GIFs and Politics GIFs on Gfycat

Just another thing @kanyewest and I have in common. https://t.co/Vcffb2euxG

The "Friends" star went mildly viral in May when she posted a selfie with her computer. The post was meant to show off a Deadline article about her next role, but included a sticky note featuring her password written in pen.

After fans pointed out the mistake, Kudrow removed the post, but later made a similar, joking post featuring a sticky note displaying her "new password."

Google announced in May that it had stored some G Suite users' passwords in unencrypted plain text since 2005.

"'Accidents' like this have major implications for platforms and their users; breaches can go undetected for years, so you never know when an account might have been exposed," Dashlane wrote in its post naming Google the second-worst password offender of 2019.

At the time, Google apologized in a blog post for failing to "live up to our own standards."

Dashlane cited three incidents that placed Facebook at the top of its "Worst Offenders" list: Facebook admitted to exposing hundreds of millions of passwords in March, and in April the company said it had harvested users' contacts without consent. Then, in September, Facebook admitted to a separate instance of exposing users' phone numbers.

"For a company under increasing scrutiny for how it handles (or mishandles) user data and security, it sure needs a poke in the ribs," Dashlane wrote.