Password Reuse and Email Risks

The cluster focuses on security vulnerabilities from reusing passwords across sites and compromising email accounts, enabling attackers to trigger password resets, perform credential stuffing, or take over multiple services. Users discuss real incidents, breaches like those on Have I Been Pwned, and mitigations like unique passwords or email aliases.

📉 Falling 0.4x Security

4,442

Comments

Years Active

Top Authors

#6663

Topic ID

Activity Over Time

2007

2008

2009

2010

153

2011

242

2012

278

2013

356

2014

298

2015

151

2016

305

2017

243

2018

280

2019

293

2020

273

2021

278

2022

421

2023

241

2024

232

2025

237

2026

Top Contributors

tptacek (19) bigiain (16) pavel_lishin (13) jacquesm (10) danso (10)

Keywords

AM yahoo.co RocketMail HN FAIL POP example.com domain.tld yahoo.com example.org password email accounts account passwords email address compromised address use password gmail

Sample Comments

Tichy • Jun 9, 2011 • View on HN

What if somebody triggers password recoveries on all important sites using your email address?

axpy906 • Oct 6, 2021 • View on HN

Pretty much this. If they gain one email/username password combination - they can use it elsewhere.

fhdkweig • Oct 16, 2025 • View on HN

I've heard of users using a similar trick on email addresses for the purpose of finding out which site leaked their information in the future. At least now you know which sites have bad security with passwords.

vehementi • Jan 29, 2014 • View on HN

Doesn't this mean your email account is compromised?

ironchef • May 8, 2016 • View on HN

The main issue isn't the gmail or what not has been breached. It's that lots of users tend to reuse passwords. So...once they know you signed up using [email protected] to service Alpha (and they have that password)..then they start trying all of the common services to see where else [email protected] might have used that password or a slight variant (dropbox, etc.)

sampsonjs • Jul 18, 2014 • View on HN

Worst possibility is folks email are now targets, and there's enough info to get past password reset questions.

Millennium • Mar 21, 2013 • View on HN

It's quite realistic. Or rather, the possibility that SendGrid's official Facebook, Twitter, blog, and status site all use the same password is quite realistic, and if that's the case then you only have to compromise one site to get them all.

simonw • Mar 27, 2008 • View on HN

I don't see your point. If I steal the password for your e-mail somehow, I can access your inbox (through webmail or POP or whatever) and then use "I forgot my password" on sites you use to steal your accounts there. If you use webmail and don't delete your e-mail I can search through your inbox to figure out what those sites are. Seems like a pretty serious single point of failure to me.

n2h4 • Jan 9, 2026 • View on HN

what i noticed from you and a couple other similar stories in this thread is that a same email is used at multiple places. Have you looked into email aliases like simplelogin, anonaddy, or anything of that sort?or at the very least, the basic [email protected]? this let's you know at least which thing was compromised.of course, I don't recommend doing the same for important services like you banking accounts, but for the vast majority, having an alias would be enough.a

vachina • Jan 19, 2023 • View on HN

I wonder how many pwned email and password pair still match. Crooks can take control of these pwned accounts and pretend to be trustworthy.