[graystevens]

Yup, completely agree with this. I know I've mentioned it on HN before, but credential stuffing is unfortunately common practice and is a huge reason not to reuse passwords - especially if they've been leaked.

We see credential stuffing attacks regularly - some from folks just trying their luck (using known tools and scripts such as Sentry-MBA). Others are a little more advanced and persistent, looking to gather information from successful logins which they can then re-sell on the various shifty marketplaces.

Sites that have monetary value are particularly high value targets. If you have a site which reveals key personal information such as addresses and credit card info (last 4 etc.), these will likely be scraped. If you have a site that can order goods, successful accounts will be scraped to see if they have a valid and active card associated with them, allowing them to be sold for a higher price. If you have a site which collects points (think airlines or hotels), these too will be scraped and sorted, allowing them to market those with higher points for more cash.

Where possible, use 2FA, and always use a different password for each website. Password managers sometimes get a bad name, but they're much better than using the same password everywhere.