A Study published in Microsoft 2007 that analyzed the use of passwords over a three-month period found that users used the same password on average across four different websites.
Joseph Bonneau, a University of Cambridge researcher, analyzed a list of stolen passwords from the rootkit.com and gawker.com websites in 2011. It turned out that out of 456 e-mail addresses used on both websites, at least 31% also used the same password. Of those with different passwords, some still used very similar passwords (for example, "password1" and "password2").
How Hackers Get Your Password
For example, an user receives an e-mail with a link. They should, for some reason, click on the link and sign up. The link leads to a fake website and the attacker saves the user's input.
For example, Malware on the user's computer stores all keystrokes that visit websites or take regular shots of the screen. Once the data has been collected, the malware then sends it to the hacker.
The attacker interacts directly with the user (e.g., over a phone call) and tries to obtain confidential data from them (e.g., the WLAN password).
The attacker goes through an extensive list of words that are often used as passwords.
The attacker tries all possible character combinations until they find the right password. More information can be found here.
Identical passwords are a security risk
To log in to a website requires two things: a username and a password. The username is usually an e-mail address. Apart from different e-mail accounts, the same e-mail address is usually used as the user name (e.g. on Facebook, Twitter, Amazon, eBay, etc.).
If an attacker has a username and password, they can try it on other websites. A password that is used on several websites thus considerably increases the prospects for a successful attack and therefore represents an enormous security risk.
Ideally, you can find out from the press or e.g. by the Federal Office for Security in Information Technology, once/if passwords were stolen on a large scale. However, not every hacking victim is fortunate enough to learn that their password has been cracked. In these cases, the hackers then have time enough to locate the other accounts of the victims and access them with the already known password.