Your Accounts & Passwords
Most account takeovers do not involve sophisticated hacking. They involve one reused password from a breach that happened years ago. Fixing accounts is simpler than most people expect.
The Domino
Riya used the same password for her email, her Instagram, and a recipe website she joined in 2018.
In 2022, that recipe site was breached. The breach was not publicised. Her credentials were sold in a package of 400,000 other accounts for Rs 200.
Nothing happened for 18 months. Then, in 2024, someone tested her email and password on Instagram. It worked. They logged in, changed the recovery details, and began using her account to promote a crypto scheme to her 4,000 followers.
By the time she noticed, the damage was done. Her followers had already seen the posts. Instagram took 11 days to restore access.
The recipe site breach was the domino. Instagram was what fell.
What Is Actually Happening: Credential Exposure
24B+
username and password combinations were available for sale on dark web markets in 2024.
Credential stuffing attacks test these pairs against every major platform automatically.
Source: Spycloud Annual Credential Exposure Report, 202465% Reuse Passwords Across Sites
Nearly 2 in 3 people use the same password across multiple accounts. One breach exposes all of them.
2FA Stops 99.9% of Automated Attacks
Even if your password is compromised, a second factor blocks the vast majority of automated credential stuffing and brute force attacks.
SMS Codes Can Be Intercepted
SMS 2FA is significantly better than no 2FA. But SIM swap attacks can redirect your texts to an attacker's phone. Authenticator apps are safer.
Unused Accounts Are Active Attack Targets
Accounts you no longer monitor are regularly targeted by credential stuffing. A compromised dormant account gives attackers a foothold in your identity without triggering any alert.
How to Actually Use a Password Manager
A password manager stores and generates unique, random passwords for every account. You remember one master password. The manager handles the rest.
Which one to use: Bitwarden is free and open-source. 1Password and Dashlane are strong paid options. All major options are significantly more secure than any human-created password system.
How to start today:
- Install the browser extension and phone app.
- Import any saved passwords from your browser.
- Start with your most critical account - your primary email.
- As you log into other accounts over the next two weeks, let the manager generate a new password each time.
- You do not need to change everything at once.
The key habit: never type a password manually again. If you are typing it, the manager is not doing its job.
SMS vs Authenticator App: The Difference That Matters
Both provide a second factor. They are not equally secure.
SMS codes arrive via text message. If your SIM is swapped or your carrier is compromised, an attacker receives your codes.
Authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) generate codes locally on your device. They do not travel over the mobile network. A SIM swap does not affect them.
The upgrade from SMS to an authenticator app takes about 5 minutes per account. For banking and email, it is worth doing.
Recognising a Compromised Account
Signs your account may already be compromised:
- Login notification from a location or device you do not recognise.
- Password reset email you did not request.
- Contacts receiving messages you did not send.
- Account recovery information (email or phone) has changed.
- You are suddenly logged out of a session.
If you see any of these: change the password immediately, review active sessions, and enable or update your 2FA before anything else.
Cleaning Up Third-Party App Access
Over time, apps and services accumulate access to your accounts through "Sign in with Google" or similar. Most people have dozens of forgotten connections.
To audit them:
- Google: myaccount.google.com > Security > Third-party apps with account access
- Apple: Settings > [your name] > Password & Security > Apps Using Apple ID
- Facebook: Settings > Security > Apps and Websites
Remove access for any app you no longer use or do not recognise.
Try It: Account Security Scorer
Pick an account type - email, banking, or social media. Rate it across 6 security factors and get your takeover resistance score.
What That Just Showed You
1. Your email account is the master key. Password resets for every other account are sent to your email. If email is compromised, every linked account is at risk. Secure email first.
2. Unique passwords are the highest-leverage change. A password manager that generates a unique password for each account eliminates credential stuffing as an attack vector entirely.
3. Third-party app access accumulates invisibly. Every forgotten connected app is a potential entry point. Review and revoke quarterly.
4. Dormant accounts carry active risk. If you are not going to use an account, delete it. A closed account cannot be taken over.
Three Things Worth Doing
1. Install a password manager and start with your email account. Bitwarden is free. Generate a new strong password for your primary email. Enable its 2FA with an authenticator app. This single action significantly raises your baseline security.
2. Switch your banking 2FA from SMS to an authenticator app. Log into your banking app, go to security settings, and look for the option to add an authenticator app. Remove SMS as the primary 2FA method once done.
3. Delete three accounts you no longer use. Search your inbox for "verify your email" or "welcome to" messages from services you no longer remember. Delete those accounts directly. Fewer accounts means a smaller attack surface.
One Question Before You Continue
Riya's Instagram was compromised 18 months after the recipe site breach. Why did the attack work so long after the original breach?