In October 2023, 23andMe disclosed in an SEC filing that attackers had gained access to about 6.9 million customer accounts. The word “breach” got used a lot in the coverage. It’s not really the right word. 23andMe themselves pushed back on it. They didn’t get hacked. Their users’ passwords got reused on other sites that did get hacked, and attackers just logged in.
This matters to your law firm or CPA practice because the attack technique, called credential stuffing, works against every service your employees log into. And the weak link isn’t your IT or your training. The weak link is that your employees use the same password in multiple places.
Credential stuffing is mechanical. Somewhere on the dark web, there are collections of billions of username-and-password combinations harvested from old breaches going back to at least 2012. LinkedIn, Yahoo, Adobe, Dropbox, MyFitnessPal, the Equifax data, on and on. Have I Been Pwned runs a service that lets you check whether an email address has shown up in any of these, and the answer for almost every adult is yes, multiple times.
Attackers take those credentials and just run them against other sites. They try your LinkedIn password on Gmail. They try your Yahoo password on your bank. They try your Dropbox password on Microsoft 365. If you used the same password anywhere else, the attacker gets in without doing anything creative.
The 23andMe case was exactly this. About 14,000 accounts fell to credential stuffing directly. But 23andMe has a feature where relatives are linked to each other. Once the attackers were in those initial accounts, they pulled data on everyone those users were connected to. Which is how 14,000 compromised accounts turned into data on 6.9 million people.
Your firm has the same exposure
Every employee at your firm has at least one personal account that’s been in a data breach. Yahoo alone lost 3 billion accounts. Collectively, the data breaches of the last decade have leaked passwords for effectively everyone.
If the password your paralegal used on her Yahoo account in 2013 is also the password on her Microsoft 365 account at your firm, an attacker doesn’t need to phish her. They don’t need to break anything. They just run a list.
This is the least exciting attack vector in cybersecurity. No malware. No clever social engineering. A script, a list of stolen passwords, and patience.
What it’s not is rare. Akamai’s State of the Internet reports consistently show tens of billions of credential-stuffing attempts per year against websites they monitor. Financial services and professional services sites get hammered.
The fix is two things, stacked. First, MFA on every account, no exceptions. Second, a password manager that generates unique passwords for every site.
MFA catches most credential stuffing directly. Even if the attacker has your password, the login fails at the second factor. The attack becomes pointless.
The password manager fixes the root cause. Every site gets a unique, randomly generated password. When a site gets breached, and they all eventually do, that password is useless anywhere else. The breach is contained to that one service.
This feels like an obvious thing to say. Password managers have existed for twenty years. Every major vendor, every security organization, CISA, NIST, the FBI, all recommend them. The 1Password, Bitwarden, Dashlane, Keeper tier of products are all cheap and well-designed. Most Microsoft 365 subscriptions include Edge’s password manager. Most iPhones include iCloud Keychain. None of this is expensive or hard.
And yet, the typical small firm has no password manager in place and no policy requiring unique passwords. People are still writing passwords on sticky notes. They’re still using the firm name plus the year as their login password. They’re still using the same password at work that they use on their Netflix account.
The FBI’s Internet Crime Report keeps logging incidents where the initial access was “credential stuffing” or “password spray” or “reused credentials.” These aren’t sophisticated attacks. They’re the opposite of sophisticated. They’re automated, they’re cheap to run, and they work because humans reuse passwords.
The actually hard conversation
The part that makes this hard in a law firm or CPA practice isn’t the technology. It’s telling the partners that the password they’ve been using for fifteen years needs to change, and they need to start using a manager, and they can’t just use their wife’s name plus their anniversary for any account, not even once, not even for the “low-priority” ones.
Partners hate this conversation. They’ve been typing their password a thousand times a year since 2009 and nothing bad has happened. They resist anything that feels like extra friction. They’ll tell you their password is “unbreakable” because it has a number and a capital letter.
Troy Hunt, who runs Have I Been Pwned, has a line that I keep coming back to. The only secure password is the one you can’t remember. If you can remember it, it’s probably a weak password, and you’re probably using it in more than one place.
A password manager removes memory from the equation. You remember one strong master password. The manager handles everything else. The first week of using one is awkward. After that, it’s faster than typing passwords by hand.
The 23andMe users who lost their data didn’t pick bad passwords. They picked passwords that were fine in 2013. They just used them again later. Everyone does that. That’s why credential stuffing works.
Your firm’s passwords are probably on a list somewhere right now. The question is whether MFA and a password manager are in place before someone runs that list against your logins.