Watch out: My "temporary" password system bit me after 2 years

I used to reuse the same core password with just a different number at the end for every site. Thought I was being clever until my email got hacked last month and they got into my PayPal in under 5 minutes. What tipped me off was seeing a login attempt from a city 3 states away at 4am on a Tuesday. Has anyone else had their lazy password habits come back to haunt them in a scary way?

3 comments

3 Comments

claire_grant341mo ago

My buddy Mike reused the same password for years and woke up one morning to find someone had ordered 4 pizzas to an address in Florida using his DoorDash account. The worst part was he didn't even catch it until his bank called him about the fraud alert.

jamesf291mo ago

Did you check if that 4am login came from a real coffee shop IP or a VPN like Mullvad? Most people don't realize credential stuffing bots use cheap residential proxies to look like normal addresses, so the city info can be fake. The real scary part is how long they sit on credentials before using them.

kim_ramirez31mo ago

Wait, they really sit on stolen credentials that long before using them? I always assumed they acted right away, but this seriously changes how I think about those suspicious login alerts.