Robert Graham from Errata Security gives a basic walk-through of just how easy it (potentially) is to “hack” people’s accounts.
“Hack” is in scare quotes here because there’s no actual hacking going on; Graham is just cross-referencing data sets, specifically looking for a target’s email address in the Have I Been Pwned database. HIBP doesn’t display hacked passwords/hashes directly, but it does provide details of which datasets an email is found it. Anyone with access to the original dataset—and they’re not that difficult to obtain, for someone motivated to look—basically then has a user’s password1 and can potentially use it to breach someone’s other accounts.
The point of this, incidentally, is to point out how trivial this stuff is, and to stress the importance of tactics such as enabling multi-factor authentication and not reusing passwords2 across websites. Nothing is foolproof, but the low-hanging-fruit here is very low hanging, so… y’know. Go do something about that, maybe?