All data has been stolen. Attackers are routinely sharing datasets with billions of credentials to attack web sites. These attacks have evolved beyond simple password reuse. Attackers will use rich datasets with personal information like phone numbers, addresses and social security numbers to either take over or establish accounts. We will discuss what datasets are commonly available to attackers, how they are using them and how to defend against these attacks. Defenses against these attacks are complex in part because they need to carefully balance risk and business needs.