Password Recycling: Why One Breach Breaks All Your Accounts
Cybercrime · 6 Chapters · Billions of Passwords. One Tool. Your Account.
Incoming transmission
In 2020, Akamai tracked 193 billion credential stuffing attempts — usernames and passwords leaked from previous breaches, automatically tested against login pages at massive scale. Even at a 0.1% success rate, that's 193 million compromised logins in a single year. To accounts people thought were safe because they didn't reuse passwords — except they did, once, seven years ago, on a site they forgot existed.
Franklin Green's Netflix account was compromised this way. So was his PayPal. Different sites, same password, same mistake most people make.
Credential stuffing is not hacking. No systems are broken into. No vulnerabilities are exploited. Attackers log in with your password — a password you used somewhere else, on a site that was breached, in a year you barely remember. The breach didn't happen to you directly. It happened to a site you used once. And the data never expires.
6 chapters. The full economy: breach markets, attack tools, account takeover, and how to stop it.
— Commander Shepard
