It sounds like the setup to a bad joke: someone hacked a system because the password was “123456”. Unfortunately, it’s not a joke – that password has been used by major companies, including a chatbot linked to McDonald’s. In fact, it’s still one of the most common passwords in the world.  

Meanwhile, brands like M&S, Co-op, and The North Face have made headlines in recent months for cyber attacks that exposed personal data – and in some cases, login credentials.  

While these incidents differ in technical detail, one thing keeps cropping up: attackers are gaining access not by brute force, but by taking advantage of weak or reused passwords. 

If you’re still using the same password across multiple accounts – or worse, one that’s easy to guess – this blog is your sign to stop. 

We’ll explain what credential stuffing is, how it works, and what you can do to protect yourself and your organisation with strong, secure passwords. 

What is credential stuffing?

Credential stuffing is a type of cyber attack where hackers use stolen usernames and passwords from one data breach to try to log into other websites or systems. 

They rely on one simple truth: people reuse passwords across multiple accounts. 

If one account is compromised, attackers will use those credentials elsewhere, testing them automatically across hundreds of sites in seconds. 

It’s fast, cheap, and devastatingly effective. 

Real world examples – The North Face, McDonalds, M&S

In June 2025, outdoor clothing brand The North Face confirmed a credential stuffing attack that gave hackers access to customer accounts, exposing order history, saved addresses, and contact information. It wasn’t a failure of their systems; it was a failure of password reuse.

Most recently, a story has been doing the rounds on social media linked to a McDonald’s hiring system being “123456”. And it’s true. A chatbot provider used by McDonald’s left a test account exposed online, revealing names and emails of job candidates. 

In other attacks, M&S and Co-op account holders were advised to change their passwords after suspicious activity was detected. These weren’t isolated incidents – they were part of a broader pattern of targeting login credentials across consumer platforms. 

It only takes one weak link – even a forgotten test account – to expose sensitive data. 

According to the National Cyber Security Centre, “123456” remains one of the most commonly found passwords in breached UK accounts, appearing millions of times in real-world data leaks. 

Why this matters in your workplace 

Even if you’re careful with your work accounts, attackers often use personal breaches to infiltrate professional systems. 

If you’ve used the same password for both your personal email and your NHS staff login, for example, a breach of one could open the door to the other.  

And it’s not just your account at risk – attackers often use this initial access to move laterally across networks, gaining access to shared drives, admin tools, and sensitive systems. 

Cyber criminals don’t need to “hack” in the Hollywood sense anymore – they just need one valid set of reused credentials. 

 

The case for secure, unique passwords. 

Here’s the takeaway: every account should have a different password.  

And not just “different-ish” – truly unique. If one account gets compromised, the damage stops there. 

Creating strong passwords doesn’t mean remembering a string of nonsense like xG7@!dfus8Qz!. It just means following a few simple rules. 

Password security checklist:

  • – Use a password manager to generate and store unique, complex passwords for every account 
  • – Use passphrases (at least three random words, e.g. BananaTableSunshine) if you want something memorable but strong.  
  • – Avoid common passwords like “qwerty123”, “password1”, or anything based on personal information like birthdays or pets. 
  • – Don’t share passwords, even with trusted colleagues – especially via email or shared documents  
  • – Change passwords for any accounts you haven’t updated in years, especially if they’re reused credentials 
  • – Enable multi-factor authentication (MFA) wherever possible – this adds a second layer of protection 

Ready to test how secure your organisation really is? 

You might have robust systems in place, but human behaviour is still the weakest link in cyber security. That’s why Cyber Security Audits and Staff Awareness Training are essential parts of any organisation’s cyber resilience strategy. 

Our Staff Awareness Training helps teams spot risks, use better tools, and break bad habits (like reusing their passwords – one more time for the people at the back!) 

And if you’re not sure where to start, our Cyber Security Audit service identifies your weakest vulnerabilities before attackers do.  

Security starts with your next login 

Cyber attacks aren’t slowing down. They’re coming thick and fast, and they’re getting bigger, bolder, and better-resourced than ever. 

You can’t control every data breach out there. But you can stop those breaches from affecting you – or your organisation – by breaking the password reuse habit. 

Unique, strong passwords protect your personal data, your colleagues, and your wider network – one login at a time.