Imagine Johnny, an AI expert, famous for his globetrotting talks, boasting about racking up over a million Delta miles. Unbeknownst to him, in his audience sits Billy, a tech guru with a less-than-ethical focus — stealing travel loyalty points to sell discounted travel.
Billy spots Johnny as a potentially “ripe target.” His initial challenge is accessing Johnny’s Delta account without knowing his email or password. At this stage, the odds of success are astronomically low — estimated at 1 in 100 billion. But Billy collects vast amounts of breach data, and his odds improve dramatically with each additional piece of information he obtains.
How Risk Escalates: A Credential Hierarchy
Stage 1 — Being online for a long time carries some baseline risk from accumulated breach exposure.
Stage 2 — Being in a data breach (over 2 years ago) carries more risk, as credentials may be circulating in criminal marketplaces.
Stage 3 — Being in a recent data breach is riskier still — credentials are fresher and more likely to be actively exploited.
Stage 4 — Being targeted by a bad actor who knows your email address dramatically increases risk. The moment Billy learns Johnny’s email (by simply asking for it at a conference), he can run it against billions of compromised credential pairs.
Stage 5 — Known email + found password in a compromise list — especially if you reuse passwords. Now Billy has a usable attack vector at scale.
Stage 6 — Known email-password combination represents a very high risk. Billy can attempt direct login or credential stuffing attacks against multiple services Johnny uses.
Stage 7 — The highest risk: A bad actor who knows your username, password, and has compromised your email. At this point, every MFA mechanism that routes through that inbox is effectively neutralized.
What This Means for Businesses
For businesses, understanding these different risk types is paramount. Crucially, all screening methods for credentials are not equal — and security actions must match the type and risk level.
Applying overly strict security measures designed for high-risk situations to a low-risk situation creates false positives and unnecessary friction for legitimate users. By tailoring authentication requirements to the risk level, businesses ensure low-risk users have a smooth experience while applying strong security measures only when truly needed. This balanced approach improves user satisfaction and effectively safeguards sensitive information — preventing your customers from becoming the next Johnny.
The mechanics of how email became the digital economy’s most consequential vulnerability, the case studies that should have changed everything, and what a continuous intelligence approach actually looks like — all documented in “The Lying Gatekeeper,” a special report from myNetWatchman.
Read the Full Report →