There are two really common methods of attack.

The first is social engineering. This is things like phishing attacks that trick people into giving others access they shouldn’t have. This could be clicking on things in an email that they shouldn’t, or trusting someone who phoned them to actually be who they say they are. Education and working with zero trust are great for this.

The second is stuffing attacks on people who reuse passwords. If logged into a weak website with **[email protected]** and password **P@ssw0rd**, and that website got compromised, someone could get the passwords out of it and reuse them on another site, hoping that you use the same username and password combination.

The easiest way to fight that second one is to use a password manager that will allow you use random passwords for every site. Also, where possible, exclusively use an SSO Login with a trusted SSO Provider (like Sign On With Google) instead of even creating a username/password.

Also use 2FA wherever possible, but especially on that SSO account. That means even if the password gets compromised, it can’t be reused even on the same site.