Every year, millions of usernames and passwords are stolen from websites — not always from big companies you've heard of, but from small stores, forums, and services you signed up for once and forgot about. When those databases get leaked, hackers do something very simple: they try those same passwords on every other site they can.

This is called credential stuffing, and it's one of the most common ways accounts get compromised. It doesn't require any technical skill on the hacker's part. They just have a list of known email/password combinations and a script that tries them.

How it plays out in real life

Say you signed up for an online store five years ago. You used your regular email and your go-to password. That store gets hacked. You never find out because they don't tell anyone. Your email and password end up in a database that gets sold and traded online.

Now someone tries that combination on Gmail. On your bank. On Amazon. If your password is the same — or close enough — they're in.

You can check if this has happened to you

A free tool called Have I Been Pwned (haveibeenpwned.com) lets you type in your email address and see if it's appeared in any known data breaches. It's run by a security researcher and is completely safe to use. If your email shows up, it doesn't mean you've been hacked — but it does mean your credentials from that site are out there, and anyone using the same password elsewhere should change it.

The fix isn't complicated, but it is a commitment

The real answer is a unique password for every account. Not "Summer2024!" changed to "Summer2025!" — actually different passwords. The only realistic way to do that is with a password manager, which we'll talk about tomorrow.

In the meantime, if there's one account you want to prioritize, make it your email. Your email is the key to every other account — it's how you reset passwords. If someone gets into your email, they can get into almost everything else. A strong, unique password there is the most important one you can have.