Most people picture a hacker as someone hunched over a keyboard, manually guessing your password in a dark room. After thirty years in IT, I can tell you the reality is far more industrial, far more automated, and far less personal. The vast majority of account takeovers are not targeted at you specifically — you are simply one entry in a list of millions being processed by software. Understanding how that machine actually works is the fastest way to see where your own defences are weak.
This article walks through the real attack chain, step by step, the way it unfolds in practice. Once you can see the sequence, the right defences become obvious.
Step 1: Harvesting the raw material
Every attack needs raw material, and the supply is enormous. Billions of usernames, email addresses and passwords are already circulating, gathered from years of corporate data breaches. When a company gets breached, the stolen database often ends up traded or dumped publicly. These “combo lists” — email-and-password pairs by the million — are the fuel for everything that follows.
The important thing to grasp: the attacker rarely steals your password directly. They obtain a giant list, and your credentials are somewhere in it because a service you used years ago was compromised. You can check whether your email appears in known breaches using a reputable service like Have I Been Pwned. If it does, assume any password tied to it is public.
Step 2: Credential stuffing — the workhorse attack
Here is where most takeovers actually happen, and it is depressingly simple. Attackers take those leaked email-and-password pairs and use automated software to try them against hundreds of other popular websites — banks, email providers, shopping sites, streaming services — all at once.
The entire attack relies on one human habit: password reuse. If you used the same password on a hobby forum that got breached and on your email account, the forum breach just handed the attacker your email. The software doesn’t need to guess anything; it simply tries the known password on every site and waits for one to let it in.
This is why reuse is the single most dangerous thing you can do, far more dangerous than having a slightly-too-short password. A strong password reused across ten sites is only as safe as the weakest of those ten sites. You can see how a typical password holds up to direct attack with our password strength tester — but against credential stuffing, strength is beside the point. The only defence is a unique password per site.
Step 3: Brute force and dictionary attacks
When attackers don’t already have your password, they fall back on guessing it at scale — and “at scale” is the key phrase. Modern graphics cards can test billions of candidate passwords per second against a stolen, encrypted password database.
They don’t guess randomly. They start with dictionary attacks: real words, common passwords, names, dates, and the predictable patterns humans love — Spring2026!, Liverpool1, Password123. They layer on every common substitution (a→@, o→0, s→$) because those tricks are programmed in from the start. They append the obvious numbers and symbols. Only after exhausting the predictable do they resort to true brute force, trying every possible combination.
This is why length beats complexity. An eight-character password, however clever, falls in the predictable phase. A sixteen-character passphrase of random words pushes the problem into the “true brute force” zone, where the mathematics make it take longer than a human lifetime. Generate one with our password generator, which produces high-entropy passwords and passphrases locally in your browser.
Step 4: Phishing — going straight for the source
Why crack a password at all when you can simply ask for it? Phishing skips the technical work entirely by tricking you into handing over your credentials. A convincing email or text claims to be from your bank, a delivery company, or a service you use, and directs you to a fake login page that is a pixel-perfect copy of the real one. You type your password; it goes straight to the attacker.
Modern phishing is alarmingly good. The fake pages can even relay your two-factor code to the real site in real time, defeating SMS and app-based codes. This is precisely why phishing-resistant methods — passkeys and hardware security keys — matter so much: they are cryptographically bound to the real website’s domain and simply refuse to work on a fake one. I cover that defence in my guides on passkeys and on two-factor authentication.
Step 5: SIM swapping and recovery hijacking
When an attacker wants into a specific high-value account, they go after the recovery path. SIM swapping is the classic move: the criminal calls your mobile carrier, impersonates you using personal details from breaches, and convinces them to move your number to a SIM they control. Now every SMS code and password-reset text arrives on their phone.
A related tactic is recovery hijacking — quietly changing the recovery email or phone number on an account so that even after you reset your password, they can take it back. This is why I always tell people: check your account recovery settings periodically, and never rely on SMS as the recovery method for your most important accounts.
Step 6: Lateral movement — one account becomes all of them
Once an attacker is into a single account, the damage rarely stops there. Your email is the master key: with it, they can trigger password resets on every other service tied to it. They read your messages to learn which banks and services you use, find your contacts to target next, and set up silent forwarding rules so they keep seeing your mail even after you lock them out.
This is why securing your email account first, with the strongest protection available, is the highest-value security decision you can make. Lose your email and you potentially lose everything connected to it.
Mapping the defences to the attack chain
Now that the chain is visible, the defences line up neatly against it:
Against credential stuffing (the most common attack): a unique password for every single site, stored in a password manager. This single change makes a breach of one site unable to spread to any other.
Against brute force: length over complexity. Aim for 16+ characters, ideally passphrases of several random words. Let a generator and manager handle it so you never have to memorise them.
Against phishing: scepticism plus phishing-resistant authentication. Never log in via a link in an email; type the address yourself. And where possible, switch to passkeys or a hardware key, which cannot be used on a fake site.
Against SIM swapping and recovery hijacking: move off SMS for important accounts, use an authenticator app or hardware key, and audit your recovery settings.
Against lateral movement: lock down your primary email with the strongest factor available, and turn on two-factor authentication everywhere that matters.
The bottom line
The hacker in the dark room is mostly a myth. The real threat is an automated pipeline that turns one company’s breach into thousands of account takeovers, powered overwhelmingly by reused passwords and convincing fake login pages. You don’t need to be a security expert to break that pipeline — you need unique passwords, a password manager, strong two-factor authentication, and a healthy suspicion of any link asking you to log in. Get those four things in place and you fall out of the bottom of the funnel, where the automated attacks simply move on to easier targets.
Curious how your current passwords would fare in a real attack? Test them privately with the PassGuard Check strength tester — all analysis happens locally in your browser, and nothing is ever stored or sent.