Last month, my mother-in-law’s email account was compromised. What followed was not the kind of slow, grinding ordeal you might imagine when you picture someone “getting hacked.” It was fast, coordinated, and sweeping. By the time we understood what was happening, the damage had already been done across more than a dozen accounts.
She’d been reusing a password that, as we later confirmed on HaveIBeenPwned, had appeared in a previous breach, and no multi-factor authentication. While this may make us techies shiver, it is honestly not an unusual security posture. The gap between what security-conscious technologists consider baseline hygiene and what a suburban retiree thinks of as “reasonable caution” is wide and real. But that gap, which has always existed, now matters a lot more than it used to.
What happened, specifically
The attacker got into her email account, which for most people is like getting the “keys to the kingdom”. From there, they spread in every direction, simultaneously.
Within a single day:
- They placed orders on a collector’s marketplace using what I’d guess is a stolen card and a drop shipping address, presumably to flip the goods.
- They accessed her old iCloud account, which had been unused for years and was lacking 2FA. The attackers likely got access to old phone backups too, which could contain a vast amount of information.
- They logged into her Nextdoor account and started posting spam. Nextdoor permanently banned the account (perhaps a silver lining? 🙂).
- They stole over 100,000 American Airlines frequent flier miles, transferring them out of her account to someone else.
- An order was placed on Walmart. An attempt with Nordstrom too, where she has a store card saved, but was canceled by the store.
- They got into her Ticketmaster account, but fortunately there were no tickets to steal at the time.
- Finally, the attackers tried old, opportunistic tactics too. Floating in somewhere near the end of all this came an email, sent to herself from her own address, claiming the attacker had installed software on her computer and had taken compromising photographs of her. Of course, they wanted money, or they’d release said images. This is a well-known sextortion scam, lazily executed too since they should have known by then she doesn’t own a computer.
The attacker didn’t just change passwords. They changed security questions, closing recovery paths too, one by one, as they went.
Crucially, all of this happened fast. The bulk of the activity unfolded in under twenty-four hours.
This isn’t a new kind of attack, but it’s a new kind of economics
Credential stuffing–taking a leaked username-and-password combination and trying it across dozens of services–has been around for years. Breaches are sold, credentials are aggregated, lists are re-sold. My mother-in-law’s email and password were sitting somewhere in a spreadsheet alongside tens of thousands of others. Nothing novel there.
What has changed is the economics of what comes next.
Before, the bottleneck was human labor. Attackers running these operations at scale had to rely on people, often in low-wage “click farms”, to do the actual account exploration work by hand, with low motivation. Which services should we try this credential on? Did the login work? What’s in here? Is this account worth pursuing further? All of that required clicks, judgment, and time, thus money. So attackers had to make choices: they’d focus on accounts with obvious high-value indicators, and when an account turned out to be a dead end or required too much effort compared to the value they could extract, they’d move on. A retired woman whose email account doesn’t obviously scream “valuable” might well get skipped or quickly abandoned.
The second bottleneck was breadth once you’re in. Even if an attacker got into someone’s email, figuring out which downstream accounts to target (which stores she’s bought from, which airlines she has miles with, which social platforms she uses) takes time when done by hand. And acting on each of those, one by one, across dozens of different websites with different UIs and different flows, takes even more time. As the time passes, the victim can start to notice and react, cutting off the attacker before they can spread further.
Both of those bottlenecks are dissolving.
AI agents can autonomously navigate arbitrary websites, fill out forms, reason about what they’re looking at, and decide what to do next without human guidance at each step. They have fundamentally changed the economic calculus. The cost of exploring an account is now close to zero. Likewise, the cost of acting across a dozen different services simultaneously, each with its own interface, is also close to zero. You no longer need a team of people, just you need a prompt, a list, and some tokens.
This is not just about speed, though speed matters enormously (faster movement means less time for automated fraud detection or for the victim to react). It’s about the removal of the economic filter. When human labor was the rate-limiting factor, attackers had to decide: is this account worth our time? A small business owner, a software engineer with access to employer systems, someone who has store cards: those are high-value targets. A suburban retiree with a Nextdoor account and some airline miles is low-value, and the return on investment gets even lower the more work it takes to figure that out.
Now that filter is gone. If the credential works, the account gets fully explored. If the account yields anything worth any value (miles, marketplace access, a social platform that can post spam, an old iCloud account that’s been sitting dormant) it gets exploited. Not because a human decided it was worth it, but because the cost of acting is essentially zero.
My mother-in-law’s account, which by any previous calculus would have been a marginal target, yielded. None of that required a human to discover or exploit. An agent just… found it, and acted on it.
The week after
Recovering from something like this is not a quick afternoon of password resets. Between my in-laws and my wife and I as helpers, it took about a week before we felt like things were genuinely locked down. I estimate all of that was north of 20 hours of actual work (and in no small part holding on the phone).
The first and most urgent task was recovering the email account itself. This meant contacting the provider, proving identity, and fighting through a process that the attacker had already complicated by changing the password twice. Email is the “key to the kingdom”, so nothing else could really start until that was resolved.
Once email was back under our control, we did an immediate sweep of every account we considered sensitive: not just the ones that had been visibly compromised, but any account where the consequences of access would be significant. Banking and financial accounts got password changes and we enabled 2FA or passkeys where missing. Cards that had been used on the compromised retail accounts got blocked preemptively, because shipping addresses and partial order information were now in attacker hands. That meant calling banks and then subsequently updating a trickle of utilities and subscriptions that were on auto-pay to those cards.
American Airlines was a multi-hour phone ordeal. We tried to recover the transferred miles, unsuccessfully.
We contacted Walmart, Nordstrom, and other stores the attacker tried to buy from, reporting the fraud. We also tried to recover some of her social accounts, including Nextdoor which had banned her for life.
Then there was the education layer. Setting up passkeys where they were available, explaining how a password manager works and why it matters, walking through what a phishing email looks like, explaining the recovery process for different account types. This is slow, careful work, and it requires patience, as well as a lot of empathy. The goal isn’t just to restore security but to leave someone in a position where they understand what happened and can make better decisions going forward.
What this means for us
If you’re reading this blog, you’re probably not the person most at risk from the shift I’ve described. You’re using a password manager, your sensitive accounts have 2FA or passkeys or both, you’re not reusing passwords.
But you almost certainly know people who are. Family members, friends, colleagues in non-technical roles. People who find the entire security hygiene apparatus opaque and exhausting, and who have made peace with practices that carry more risk than they realize. In many cases, they felt no need to do otherwise given that they had not (yet) sustained a hack themselves.
The uncomfortable reality of where we’re headed is that “flying low”, maintaining a low profile in hopes that attackers would prioritize higher-value targets, is no longer a viable implicit strategy. The economic logic that made it work, even imperfectly, is eroding. We are moving toward a world where any credential in any breach gets fully explored, automatically at scale, and at essentially no cost to the attacker.
That changes what being a technically-skilled person in someone’s life actually means. We’re going to get called on to help people recover from hacks more often. And more importantly, we’re going to need to proactively help the people around us improve their security posture before the call comes, because the recovery is hard, time-consuming, expensive, and sometimes leaves permanent losses that can’t be undone.
The tools to do this well exist. Password managers have gotten genuinely approachable. Passkeys, where supported, eliminate an entire class of credential risk. The conversation about why this matters has gotten more concrete: you can now tell someone that if your email gets compromised, an automated system can systematically drain your airline miles, place fraudulent orders across every retailer you’ve ever used, and lock you out of your own recovery paths, all before you’ve woken up in the morning. That’s not a hypothetical.
The post-breach cleanup is also something worth being prepared for, practically. Knowing which accounts can be recovered and how and knowing the order of operations when things go wrong: this is becoming a relevant skill set, not just an occasional curiosity.
We spent a week helping one person recover from something that will become increasingly common. The sooner the people around us are hardened against it, the less likely we are to spend another week doing it.