Let me walk you through a scenario that plays out thousands of times a day.
You signed up for a recipe forum in 2019. Used your usual email and password — the one you use for most things because it's easy to remember. The forum gets breached in 2021. You never hear about it because the forum was small and the breach didn't make the news.
Your email and password are now sitting in a database with 2 million other credentials. That database gets sold. Then resold. Then compiled into a larger collection. Then used.
Fast forward to today: someone tries your email-password combination on Gmail. It works — same password. They're in your email. From there, they reset your bank password, your Amazon account, your social media. Within hours, they have everything.
That's credential harvesting. And it starts with one password.
The password reuse problem (in actual numbers)
We need to talk about how widespread password reuse actually is, because the statistics are worse than most people expect:
- Google/Harris Poll (2023): 65% of people reuse passwords across multiple sites
- LastPass (2024): The average person reuses each password across 4 different sites
- Bitwarden (2023): 84% of people reuse passwords, with 26% reusing the same password for everything
- SpyCloud (2024): Among credentials exposed in data breaches, 74% were passwords the victim had used on at least one other site
The math is brutal. If you use one password across 4 sites, a breach on any of those sites compromises all four. And you don't get to choose which site gets breached — it could be the weakest, least secure one.
Most people's reused password protects their email. Their email is the skeleton key to everything else (password resets). That's the chain reaction.
How credential harvesting works (the full pipeline)
Credential harvesting isn't a single attack — it's an industry with a supply chain.
Stage 1: The breach
Databases get compromised through SQL injection, misconfigured servers, insider threats, or successful phishing of an admin. The attacker downloads the user database: emails, passwords (sometimes hashed, sometimes plaintext), and whatever else was stored.
In 2024 alone, notable breaches included:
- Ticketmaster: 560 million records
- AT&T: 73 million customer records
- National Public Data: 2.9 billion records (names, addresses, SSNs)
- Dell: 49 million customer records
Each breach adds fuel to the credential harvesting ecosystem.
Stage 2: Password cracking
If the stolen passwords are hashed (encrypted), attackers run cracking tools. Modern GPUs can test billions of hashes per second. A simple 8-character password hashed with MD5 falls in seconds. Even reasonably complex passwords hashed with older algorithms don't last long.
This is why "complexity requirements" (must include uppercase, number, symbol) are less useful than length. P@ssw0rd! is a 9-character password that meets every complexity rule — and it's in every cracker's dictionary. correct horse battery staple is far harder to crack but easier to remember.
Stage 3: Compilation and sale
Cracked credentials get compiled into combo lists — massive text files of email:password pairs. These are shared on underground forums, sold on dark web marketplaces, and compiled into searchable databases.
The pricing is shockingly cheap:
- Bulk combo lists: $5-50 for millions of email:password pairs (unverified)
- Verified credentials (confirmed working): $1-15 per account, depending on the service
- Corporate email credentials: $10-100+ depending on the company
- Banking credentials: $50-200+ per account
- Fullz (complete identity package: name, DOB, SSN, address, accounts): $15-100 per person
For context: a verified Netflix login sells for about $3. A verified PayPal account with a balance sells for roughly 10% of the balance. An active corporate email account at a Fortune 500 company can fetch $500+.
Stage 4: Credential stuffing
This is where your reused passwords get exploited at scale. Attackers take combo lists and use automated tools to try each email:password combination against popular services — Gmail, Microsoft, Amazon, banking sites, social media.
The tools are sophisticated. They:
- Rotate through thousands of proxy IP addresses to avoid rate limiting
- Solve CAPTCHAs using automated services ($2-3 per 1,000 CAPTCHAs)
- Slow down attempts to mimic human login patterns
- Run 24/7 across cloud infrastructure
The success rate is typically 0.1-2% — which sounds low until you realise they're testing millions of credentials. A 1% success rate on 10 million credentials is 100,000 compromised accounts.
Akamai reported that there were over 193 billion credential stuffing attacks globally in 2020 alone — a 310% increase from 47 billion in 2019. That's not a typo. Billion, with a B.
The chain reaction: one password, total compromise
Here's how the domino effect works in practice:
Hour 1: Email access The attacker successfully stuffs your credentials into Gmail. They're in. First, they set up a mail forwarding rule (so they keep getting copies of your email even if you change the password later). Then they search for "bank," "account," "password," and "statement" to understand your financial landscape.
Hour 2: Financial accounts Using "forgot password" on your bank's website, they trigger a password reset email — which they receive because they control your inbox. They reset your online banking password, log in, and either transfer funds directly or add a new payee for later extraction.
Hour 3: Shopping and subscriptions Amazon, eBay, any service with stored payment cards. They either make purchases shipped to a different address or extract card details for use elsewhere.
Hour 4: Social media They take over your Facebook, Instagram, LinkedIn. This isn't just embarrassing — it gives them access to your social graph for targeting your contacts ("Hey, I'm stranded overseas, can you wire me £500?") and additional personal information for identity fraud.
Hour 5-24: Identity theft With your email, banking details, address, date of birth (often in bank correspondence), and social media, they have enough for full identity fraud: opening credit cards, taking out loans, filing false tax returns, or selling your complete identity package (fullz) to other criminals.
The timeline here is real. Research from Agari found that attackers access compromised email accounts within 12 hours of obtaining credentials in 40% of cases, and most compromised accounts are exploited within 24 hours.
You might already be compromised (here's how to check)
Two free services let you check if your credentials have appeared in known data breaches:
Have I Been Pwned — Enter your email address. It'll tell you which breaches included your data and what was exposed. Created by security researcher Troy Hunt, it contains over 13 billion breach records.
Firefox Monitor — Similar service from Mozilla, also powered by breach data.
If your email appears in breaches (most people's do — HIBP reports the average email address appears in 4-5 breaches), change the password on that service immediately, and change it on any other service where you used the same password.
How password managers actually protect you (technically)
"Use a password manager" is common advice, but most explanations stop there. Here's how they protect you, mechanically:
Unique passwords everywhere: A password manager generates a random, unique password for every site. Something like k7#mP9$xLq2&nR4. You never see these passwords, never type them, and never need to remember them. Because every password is unique, a breach on one site affects only that one site. The chain reaction can't happen.
Encrypted vault: Your passwords are stored in an encrypted vault using AES-256 encryption (the same standard used by governments for classified data). The vault is decrypted locally using your master password. The password manager company never sees your actual passwords — they store only the encrypted blob.
Zero-knowledge architecture: Services like 1Password, Bitwarden, and Dashlane use zero-knowledge design: they can't access your passwords even if they wanted to, even if they were subpoenaed, even if they were hacked. Without your master password, the encrypted vault is useless — it would take billions of years to brute-force AES-256.
Phishing resistance: Password managers autofill credentials based on the website's URL. If you visit paypa1.com (with a number 1), your password manager won't offer to fill your PayPal credentials because the URL doesn't match. This is a phishing detection mechanism that works every time, without you needing to notice the fake domain.
Practical recommendations:
- Bitwarden: Free, open-source, audited. The best free option by far.
- 1Password: Polished, excellent family plans, $3-5/month.
- Apple Keychain / Google Password Manager: Built-in, good enough for most people, free.
One master password to remember. Everything else is handled. The inconvenience is minimal; the protection is enormous.
What about MFA? Doesn't that solve this?
Multi-factor authentication significantly reduces the risk — but it's not bulletproof.
What MFA stops: Standard credential stuffing. Even if an attacker has your email and password, they can't log in without the second factor (usually a code from your phone).
What MFA doesn't stop:
- Real-time phishing proxies: Tools like Evilginx2 sit between you and the real login page, capturing your credentials and your MFA token in real time. The attacker uses both immediately.
- SIM swapping: Attackers convince your mobile carrier to transfer your number to their SIM, intercepting SMS-based MFA codes.
- MFA fatigue: Attackers trigger dozens of push notifications until you accidentally approve one just to make them stop.
MFA is still absolutely worth enabling — it blocks the vast majority of automated attacks. But it's a layer, not a solution.
The bottom line
Credential harvesting works because humans are predictable: we reuse passwords, we don't check if our data has been breached, and we underestimate how quickly one compromise cascades.
The fix is boring but effective: unique passwords (via a password manager), MFA on everything that supports it, and awareness that your credentials are probably already in a breach database somewhere.
The question isn't whether your password has been stolen. It's whether the stolen password opens anything else.
