Password reuse is a corporate risk
How data breaches at third-party services become a threat to corporate accounts.
Over the past few years, large-scale database breaches containing logins and passwords have become a regular occurrence. Compromises of major services result in millions of email-password combinations entering public circulation. At first glance, if a third-party service was breached, that is not the company's problem.
The problem is different. People reuse passwords across services. An employee registered on some internet forum with their corporate email, used the same password as their work account - and now that password is available to anyone who downloaded the breach database.
The attack where stolen credentials from one service are used against another is called credential stuffing. It does not require directly breaching the corporate system. It only requires finding matching pairs from leaked databases.
Why this is a management task
Asking people to "not reuse passwords" is not a solution. People do not memorise dozens of unique passwords. They use the ones they can remember.
This is an organisational task: create conditions where the correct behaviour - unique, complex passwords for each service - is physically possible and does not require heroic effort from the employee. That means providing tools and introducing technical controls.
Two tools that work
The first is password managers. If a company decides to deploy a corporate password manager, employees no longer need to remember unique passwords - only one master password. The manager generates and stores complex unique passwords for each service. This removes the psychological barrier and makes correct behaviour convenient.
The second is two-factor authentication. Even if a password is compromised, login without the second factor is impossible. For corporate systems, especially those accessible from the internet, this should be a standard, not an option.
What to do specifically
Inventory which corporate systems are accessible from the internet - and whether they have two-factor authentication. Corporate email, VPN, remote access systems, cloud services - this is the minimum list.
Check whether the company has a password policy and whether it is enforced technically - meaning the system requires a strong password rather than simply recommending one.
Evaluate whether a corporate password manager makes sense. For a team of 15 to 20 people, it already does.
When major public breaches happen, check whether any corporate addresses appear in them. Services exist that allow this check without exposing the actual passwords.
A real threat
Credential stuffing is not a theoretical threat. Automated tools can check millions of pairs in a short time. A corporate email that matches a login in a leaked database becomes a target without any targeted action by an attacker against your company specifically.
Protection from this does not require complex technical solutions. It requires an organisational decision - and the resources to implement it.