Hijackers routinely attempt to sign in to sites across the web with every credential exposed by a third-party breach.
says Google Online Security blog. Surely it would be possible for sites to recognize this pattern of behaviour and block such attempts? Why don’t they do that?