There is a website called Have I Been Pwned. You type in an email address and it tells you whether that address — and associated passwords — has appeared in a known data breach. It currently holds records from over 13 billion breached accounts.
Go and check your business email address now. Then check your personal one. Then check your staff’s.
The results are often sobering. Many business email addresses appear in multiple breaches — from previous employers, from subscription services, from platforms that were compromised years ago and whose data is still being traded. And where the email address appears, the password that was used at that time is likely also known.
Why Credential Breaches at Other Companies Are Your Problem
When a company you’ve never heard of suffers a data breach, and one of your staff members had an account there using their work email and a shared password, you have a problem.
Attackers take breached credential lists and run them against business email systems, cloud platforms, banking portals, and VPNs. This process — called credential stuffing — is automated and runs at enormous scale. If your staff member used the same password for that obscure forum and for their Office 365 account, that account may already be compromised.
According to the Verizon Data Breach Investigations Report, compromised credentials are involved in the majority of hacking-related breaches. It is consistently one of the top two or three attack vectors year after year.
The Password Reuse Problem
Research consistently finds that the majority of people reuse passwords across multiple accounts. This is understandable — the average person manages dozens of accounts, and remembering unique complex passwords for each is genuinely difficult without tooling.
But the consequence is that a breach of any one of those accounts potentially exposes all of them. A password used for a shopping website is the same password used for business email. A credential stolen five years ago in a breach you’ve forgotten about is still being tested against your accounts today.
What Good Password Practice Looks Like
Unique passwords for every account. This is non-negotiable for business accounts. No password should be shared between services.
A password manager. The practical solution to unique passwords is a password manager — software that generates, stores, and fills strong, unique passwords for every account. You only need to remember one master password. Good options include Bitwarden (free for individuals, low-cost for teams), 1Password, and Dashlane. Most integrate directly with browsers and mobile devices.
Strong passwords. A strong password is long (16+ characters), random, and includes a mix of characters. Password managers generate these automatically. Passphrases — four or more random words strung together — are also effective and more memorable.
No shared passwords between staff. Shared team passwords — the one everyone knows for the company social media account, or the shared admin login — are a significant risk. If a staff member leaves, that credential is compromised. Use individual accounts wherever possible, and manage access through proper permission systems rather than shared credentials.
Monitoring for compromised credentials. Some security services monitor for your business email addresses appearing in new breach datasets, alerting you when credentials need to be changed. This is increasingly included in business security tooling.
Combining Password Security with MFA
Strong, unique passwords and MFA together make account takeover attacks extremely difficult. A credential-stuffing attack that has your staff member’s email and old password is stopped by MFA. A phishing attack that tricks someone into entering their current password is stopped by MFA. The two controls complement each other.
What This Means for Your Business Today
The immediate action is to check whether your business email addresses appear in known breaches — Have I Been Pwned (haveibeenpwned.com) is free and reputable. If they do, change the affected passwords immediately and enable MFA on those accounts.
The medium-term action is to deploy a password manager across your business, establish a policy that business accounts use unique passwords, and ensure MFA is enabled on all critical systems.
W3IT includes password and credential security in our standard security review, including checking for known compromised credentials associated with your domain. It’s an area where small improvements make a significant difference to your overall security posture.