In 2010 I purchased items from an online store called Pooleys.
It soon became apparent they had a security issue as I started to receive SPAM to the unique e-mail address assigned to them. Troy Hunt’s amazing haveibeenpwned.com site also confirms the e-mail address is present in “Exploit.In” and “Collection #1”.
Yesterday my e-mail servers detected six separate login attempts using that e-mail address and the actual password I used on the Pooleys website. It’s incredible to think that people would still be using the same password for fourteen years or more. The hackers must get success so I expect some people don’t change their passwords often, or at all.
The age old lesson here for end users is to never re-use your password. Use a different password for every account you have.
For the developers, well, where do you even start?