[iraklism]

We deal with this almost every week, as in, we get into systems by searching through email:password leaks and use them.

There are a number of mitigating controls that can be applied here. Most will hamper usability, some will not.

There is a “simple” solution. Enforce 2FA. If not at the login, then before “dangerous” actions (transfer funds , change password , buy X/Y/Z )

[lphartley]

That's a simple solution from a security perspective. From a business perspective the most simple solution is guaranteeing that you'll cover all the damage customers might possibly suffer.

[methodover]

That was one of the ideas that we pitched to the CEO. Only sensitive actions would require 2FA. CEO shot it down, saying it would require too much work on the part of the customer.

[orf]

Why not give customers the option to choose to enable it then?

[marcins]

The kind of customer that reuses passwords is probably the kind that won't enable 2FA if it's optional.

[orf]

Sure, but then it's on them rather than you.

[busterarm]

Users will go through the work if you incentivize the behavior.