← Blog

How one stolen password becomes ten break-ins

Tenant Strike3 min read

Attackers don't always guess passwords. They reuse ones already leaked in other companies' breaches, trying them everywhere automatically. It is called credential stuffing, and password reuse is what makes it work.

There's a common assumption that breaking into an account means guessing a password — an attacker patiently trying combinations until one works. That's slow and usually fails. The real attack is far more efficient: attackers use passwords that were already stolen somewhere else and simply try them everywhere. It's called credential stuffing, and the only reason it works is a habit nearly everyone has: reusing the same password in more than one place.

Where the passwords come from

Over the years, thousands of companies have been breached, spilling billions of real username-and-password pairs onto the internet. These collections are bought, sold, and traded freely. Your email address and a password you used in 2021 are very likely sitting in one of them right now — not because you did anything wrong, but because some service you signed up for got breached.

Attackers gather these lists and feed them into automated tools. The tools take each leaked email-and-password pair and try it against many other services — Microsoft 365, banking, online stores, anything. They can test millions of combinations quietly, at machine speed.

Why reuse is the whole problem

Here's the chain. You used the same password for a hobby forum and your work email. The forum got breached, exposing that password. Now an attacker has your email address and a password you actually use. They try it against your Microsoft 365 login — and if you reused it, they're in. They never touched your work systems directly. They just walked through a door you'd unlocked elsewhere.

This is why password reuse, not password weakness, is the real killer. A long, strong password that you use in five places is only as safe as the least secure of those five. One breach anywhere exposes all of them.

The two fixes that end it

The defense is simple to state and genuinely effective:

  1. Use a different password for every account. No human can remember dozens of unique strong passwords, so use a password manager. It generates and stores a unique password for each site and fills them in for you. You remember one master password; it handles the rest. This single change breaks credential stuffing entirely — a password leaked from one site is useless everywhere else, because it's used nowhere else.
  2. Turn on multi-factor authentication everywhere it's offered. Even if a password is stolen and reused, multi-factor authentication means the attacker still needs the second step — a code or an approval — which they don't have. It's the safety net for when a password does leak. Together, unique passwords and multi-factor authentication make credential stuffing close to hopeless.

A couple of supporting habits help too:

  • Check whether your accounts have appeared in known breaches. Free services let you look up your email address and see which breaches it's turned up in. It's a useful nudge to change anything you've reused.
  • Prioritize the important accounts. Your work email, your banking, and any admin accounts deserve unique passwords and the strongest multi-factor authentication first.

For a business, it's a team habit

Credential stuffing targets organizations precisely because employees reuse passwords across personal and work accounts. A staff member's reused password, leaked from some unrelated site, becomes a way into your business. So the protections have to be company-wide: require multi-factor authentication for everyone, encourage a password manager, and block the older sign-in methods that ignore multi-factor authentication entirely.

That last point is the gap people miss. You can have multi-factor authentication switched on and still be exposed if outdated connection methods let an attacker skip it with just a password. Tenant Strike checks for exactly this — whether multi-factor authentication is truly enforced for every account, whether legacy sign-in paths are still open, whether your administrators are properly protected. It reads your Microsoft 365 settings in five minutes and tells you, in plain English, whether a leaked password could still walk in.

AI-researched from public sources. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.