Surely people are not reusing passwords!

Even though there are warnings all over the internet about the risks of reusing passwords and the ease that threat actors can run credential stuffing attacks to exploit this negligent behaviour – people still reuse passwords:

DraftKings denies platform breach, says about $300,000 stolen from compromised accounts – The Record by Recorded Future

This is why the threat actors keep the credential stuffing software always to hand – it makes them a lot of money.

Your takeaway from this – make sure that your no one in your team is using a duplicated password for any service you give them access to. I’d get it in writing.

Where do they get the passwords from?

Well here is a report on a mass password stealing campaign:

Russian cybergangs stole over 50 million passwords this year (bleepingcomputer.com)

DO NOT REUSE PASSWORDS

Clive Catton MSc (Cyber Security) – by-line and other articles