Can a scammer get into my accounts using old passwords from a data breach?
Yes — credential stuffing attacks automatically test leaked username-password pairs against hundreds of sites, so any account where you reused a breached password is at risk.
Last reviewed: 10 June 2026
Explanation
Every time a major data breach occurs, the leaked email-and-password combinations are tested against banking sites, email providers, retail platforms, and countless other services using automated tools. This is called credential stuffing and it operates at industrial scale — millions of combinations can be tested per hour. The success rate is low in percentage terms, but because databases contain hundreds of millions of entries, even a fraction of one percent represents a large number of compromised accounts.
The key vulnerability is password reuse. If you used the same password on a breached site as you use on your bank, your bank is now exposed even though the bank itself was never breached. Even minor variations like adding a number or exclamation mark at the end are often anticipated by cracking algorithms.
Reusing passwords is understandable — humans cannot memorise dozens of unique random strings. That is exactly what password managers are designed to solve. They generate and store unique, complex passwords for every site so you only need to remember one master password. Major reputable options include Bitwarden (open source, free tier), 1Password, and the built-in managers in Chrome, Safari, and Firefox.
If you discover through breach notifications or account activity alerts that a credential stuffing attempt succeeded, change the affected password, check for any changes made to the account during the intrusion window, and look for new authorised devices or apps connected to the account.
Common red flags
- Login alerts from unfamiliar locations on accounts you haven't used recently
- A password manager or your browser warns you that a saved password appeared in a breach
- haveibeenpwned.com shows your email paired with a specific password in a breach
- You cannot log in to an account even though you know your password — someone may have changed it
- You receive OTP codes for accounts you weren't trying to access
What to do now
- Start using a password manager and replace all reused passwords with unique generated ones
- Check haveibeenpwned.com for your email addresses to see what has been leaked
- Change the password on any account where you used a password known to be in a breach
- Enable two-factor authentication on every account that supports it
- Review recent account activity for accounts that used reused passwords
- Set up breach monitoring alerts (offered by haveibeenpwned.com and many password managers)
Frequently asked questions
How old does a breach need to be before I can stop worrying about the leaked password?
If you're still using the leaked password anywhere, the age of the breach doesn't matter — change it now. If you changed the password after the breach was disclosed, you are protected on that site.
Will two-factor authentication protect me from credential stuffing?
Yes, effectively. Even with the correct password, an attacker will be blocked by the second factor they don't have. This is one of the strongest reasons to enable 2FA on every account.