← Back

The long life of an old leaked password

From Anières

Old breaches are not old. They are still in circulation, still being matched against current logins.

Almost everyone is in a breach. That fact is boring and mostly not the point. The interesting question is whether the password used then still resembles the password used now, whether the email is still anchoring active services, and whether the recovery surface for those services still resolves to numbers and addresses the person currently controls. The breach itself has a news cycle. The credential outlives it by a decade.

What matters for a person is not whether they were in a breach. Almost everyone is. What matters is whether the password they used then resembles the password they use now, whether the email used then is still tied to active services, and whether the recovery surface for those services still resolves to numbers and addresses they currently control.

We do not test credentials; testing them would be unlawful and is not the work. What we do is map the surface: which emails, which phone numbers, which recovery handles, across which services, are still anchoring an identity. From the map we infer the cost of a rotation. For some people the cost is two hours and a password manager. For others, it is a months-long migration because their professional life is wired into addresses they have not controlled cleanly in years.

The second pattern is more common in older people who built their footprint when switching email providers was a chore and who have never cleaned it up. It is also common in people whose company email was used personally and whose company changed hands. Inherited inboxes are a surface few people audit.

We surface the map without prescribing fixes. Fixes are a separate projects, and rarely the one we are hired for. The map alone is often enough to move a client from "I know my passwords are fine" to "I need a week with somebody."

Written alongside work at Anières: exposure mapping, cross-reference, and standing-report systems for private clients.