Most company employees reuse their corporate password on personal sites — and IT has no way to detect it until after a breach

An employee uses 'Company2024!' as their Active Directory password. They also use 'Company2024!' on their personal LinkedIn, their kid's school portal, and a cooking recipe site. The recipe site gets breached (it was a WordPress site with a 3-year-old plugin). The breached credentials are published on a dark web dump. An attacker finds the email address matches a corporate domain, tries the password on the company's VPN, and they are in. The employee did not violate any policy — most companies require 'unique passwords' but cannot enforce it for personal sites. So what? Credential stuffing attacks (using breached passwords from one site to log into another) are the #1 initial access vector for corporate breaches, accounting for 80%+ of web application attacks (Verizon DBIR). The problem is not technical — it is behavioral. Companies can enforce password complexity on corporate systems but cannot control what employees do on personal sites. MFA on corporate systems helps but is bypassed 5-10% of the time via MFA fatigue attacks (repeated push notifications until the user approves). Why does this persist? SSO and MFA protect corporate applications but do not protect the human who reuses passwords. Dark web monitoring services (SpyCloud, Have I Been Pwned) can detect when corporate emails appear in breaches, but they detect after the breach — not before the reuse. The root cause is that humans cannot remember 50+ unique passwords and will always take shortcuts. Password managers help but corporate adoption is 30-40%, and even among users who have them, many still reuse their 'easy' password on low-stakes sites that do not get saved to the manager.