This is the misunderstanding attackers can exploit. Credentials need to be reissued because people lose them ocassionally. So that process now becomes a pathway for exploits.
No - that process _remains_ a pathway for exploits against the particular website being targeted. The process does not open new pathways for transferring exploits from one site to another - on the contrary, such exploits are made more difficult by the separation of credentials.