We investigate how an attacker can leverage leaked passwords from one site to more easily guess passwords at other sites. Our study found 42-51% of the users reusing the same password across multiple sites. We further identify few transformation rules that users employ to modify a basic password between sites which can be exploited by an attacker to make password guessing vastly easier.