Credential Stuffing and Reused Passwords

In 2013, Adobe's systems were breached. The attackers made off with 153 million user accounts—email addresses, usernames, and encrypted passwords. The problem: most people used the same password across multiple sites.

Three years later, a Louisiana accounting firm woke up to find their QuickBooks, Dropbox, and Google Workspace compromised. The attacker had found the firm's email address in the Adobe breach, tried the same email with the same password on dozens of services, and got lucky on Google Workspace. From there, they reset passwords on everything else, enabled OAuth apps, and had a field day.

This is credential stuffing. And it's one of the most common ways small businesses get hit—not because of sophisticated hacking, but because people reuse passwords.

How credential stuffing actually works

Attackers don't guess your password. They buy lists of stolen credentials from previous data breaches—email and password pairs that number in the billions across sites like LinkedIn, Adobe, LinkedIn, Yahoo, and countless others. These lists are cheap, organized, and searchable.

Then they run automated tools that try those email/password combinations across hundreds of websites simultaneously. Banking sites, cloud services, email providers, accounting software, VPNs—anything with a login form.

If you reused your Adobe password from 2013 on your business email in 2016, that password is probably still out there, waiting for someone to try it.

Why it works: Roughly 65% of people reuse passwords across multiple sites. For a small business where everyone uses the same handful of passwords, one breach anywhere becomes a breach of everything.

What can go wrong

Account takeover: If an attacker gets into your business email, they can reset passwords on other services, access cloud storage, and impersonate you to vendors and clients.

Financial fraud: Access to your accounting software, banking portal, or payment processor lets attackers redirect payments, change account details, or drain funds.

Ransomware delivery: Many ransomware attacks start with an attacker using compromised credentials to access your network, then moving laterally until they find what they need.

Client data exposure: If you store client information in any cloud service, a compromised account can expose that data and create liability.

The cascade effect: One reused password at one employee becomes an attacker walking through your entire digital business.

What it costs

• Incident response: $5,000 to $50,000 depending on scope. A single compromised account might take a few hours; a full network compromise from credential stuffing can take weeks.
• Business interruption: Downtime while you recover accounts, re-establish access, and investigate. Most small businesses lose 3-5 days minimum.
• Regulatory costs: If client data was exposed, notification requirements and potential fines vary by industry but can run $10,000 to $100,000+.
• Reputational damage: "We got hacked" is not a confidence-building message to send to your clients.

Vendor questions (copy/paste)

"We have 5 employees and they're all on different devices. Can your solution check if our domains are in breach databases, and what do we do when we find out?"

"What's your password manager recommendation for a team of 5-15 people that doesn't require IT to manage it full-time?"

"How do I enforce unique passwords across our team without creating a situation where people write passwords on sticky notes?"

"We use a lot of SaaS tools. Is there a way to monitor for unauthorized logins without checking every dashboard manually?"

"Our team resists password managers. What actually works to get people to use them instead of reusing passwords?"

Minimum viable implementation

1. Deploy a team password manager (1Password, Bitwarden, or similar). This is non-negotiable. Generate unique passwords for every single service. Cost: $3-10 per user per month for business plans with admin controls.

2. Enable multi-factor authentication (MFA) on everything you can. Start with email, banking, accounting software, and anything with access to client data. Use authenticator apps or hardware keys—SMS codes are better than nothing but can be intercepted via SIM swapping.

3. Check your exposure. Go to haveibeenpwned.com and enter your business email addresses. If they're showing up in breaches, those passwords are compromised—change them immediately in your password manager.

4. Implement single sign-on (SSO) if you can. This centralizes authentication and makes it easier to enforce password policies and MFA across multiple services. Some modern tools like Google Workspace or Microsoft 365 come with this built in.

5. Set up alerts for suspicious login activity on critical services. Many platforms will notify you when someone logs in from a new device or location.

6. Automate breach checking. Some password managers and security tools can automatically alert you when your stored credentials appear in new breaches.

When to hire help

Call someone today if:

• You discovered credentials from a breach are still active on your business accounts
• You can't log into critical services because the password was changed by an attacker
• You see suspicious activity in your email or cloud storage

Call someone this week if:

• You want help implementing a password manager across your team and training everyone to use it
• You need help enabling MFA on services you don't know how to configure
• You want a security audit to find reused passwords and weak points in your credential management

You can probably handle it yourself if:

• You're comfortable using a password manager yourself and can show your team how to use it
• You have IT support already, and you just need them to configure the tools

The honest truth: credential stuffing is solved by not reusing passwords. Everything else—MFA, monitoring, alerts—is defense in depth. Start with the password manager.