20yr Sysadmin & IT Lead here.

You say “hacked” but it’d be a lot more common to say “guessed the password”. More often than not, the media portrays a “hack” as some edge-lord 19yo in a dark room wearing a trenchcoat, staring at a screen covered in green text as they tap furiously on the keyboard at 3am. What they don’t show is the reality, which is either as below, or that someone has a really, really stupid password that can be guessed from their public Facebook profile (name of their first child, their own name, maiden name, name of the road they live on, etc) often with just a capital at the start and the ‘o’ replaced with zero.

What often actually happens is that some “real hacker” somehow pulls the database of usernames, emails and passwords from a website. This usually happens because the site’s admins (possibly because they don’t care, possibly because they’re inept, probably because they’re underfunded) are using an outdated piece of software with a known vulnerability. The real hacker connects to that site, executes some known hole, and walks away with a database of user’s details which they can sell to someone else. This is a simplified version of things like the “big LinkedIn” breach from a few years back so we’ll use that as our example.

The problem is that users often use the same password for everything, their corporate account, their eBay, their PayPal, their LinkedIn, the crappy hobby-forum they go on to discuss “flower pressing” or something. Dave who runs the flower press website (who “isn’t an IT guy” by his own admission) likely only just managed to get it online 7 years ago and hasn’t touched it since as he’s scared of breaking it, so it’s very out of date.

Someone now buys that database, in our example, the LinkedIn one. In it is a big list of 117 million email addresses and passwords (including Police, Politicans, etc). They then create a small bit of software and point it at eBay for instance. The software tries each line in turn and uses the email and password it already knows in the database, seeing if it works there. It marks each one that works so a human can come back later and buy things that are charged to the account user.

This also happens with work. Someone recognises the 1,000 politicians in the data leak, goes to their company websites and tries their logins. Surprisingly, a large number work. The attacker logs on via your VPN or to your OneDrive and pulls off all the files they can to go through later. Some may not be interesting but some may be Intellectual Property such as information about the new COVID vaccines (I’m looking at you, Russia), legal info or commercially sensitive information that can let you make a killing on the stock market.

FWIW, you can see what accounts your email addresses have been a part of by going to the perfectly safe (feel free to corroborate this elsewhere) website [Have I Been Pwned](https://haveibeenpwned.com/). To help, I’ve had my address for 24 years now and am present in 11 breaches.

The point here is that it’s important not to use the same password everywhere and not make it basic or dumb.