A phishing email from what looks like a trusted colleague. The right name. A real project. Sent on a Friday afternoon when people are moving fast. These aren't lucky guesses. They're built from data. And most of that data wasn't stolen from anywhere.

A few years ago I ordered a vinyl pressing of Zooropa. A text arrived saying I owed €6.47 in customs duty. The text looked real. I tapped through, entered my card details, and got on with my day. Forty-five minutes later my credit card's fraud team caught it.

You share your screen in a meeting. You start typing the URL of the doc you need. Your browser drops a list of suggestions into the address bar. Some of them are work. One of them is something you searched for at 6:47 AM that you never planned to share with the room.

You did everything right. Sixteen characters. Uppercase, lowercase, numbers, symbols. Nothing anyone could guess. Six months later the company holding that password got breached. A hundred million credentials leaked onto a forum you've never heard of. Yours is probably in there somewhere. The password wasn't weak. It was just shared.

It was framed as anonymous. Staff were told their responses were confidential. The form asked honest questions about workplace culture, management, and morale. The responses went into a Google Sheet. That sheet was sitting in a Shared Drive.

A new tool lands in your inbox. You click the setup link. There's no sign in with Google option. You know what you should do. You do what you shouldn't. You type the same password you use for everything else. Of course you do. This isn't a character flaw. It's a predictable response to an impossible demand.