Of course, they could look for a username that sounds like you in the list of 8 million LinkedIn and EHarmony logins and then just use the password published there, or the ones posted following the hack of 77 million user accounts at Sony or the 130 million credit-card accounts taken from the clearinghouse that processes your credit card payments, or tens of thousands lost by a New York electric utility or the California government services agency you thought was unquestionably trustworthy or the 24 million emails and user names swiped from Zappos or almost anywhere else.