Between April 2024 and April 2025, cybersecurity researchers uncovered the fragile nature of online passwords. To be exact, more than 19 billion passwords were leaked online as a result of nearly 200 data breaches. These breaches, analyzed by Cybernews, included everything from stealer logs and combolists to compromised databases, together totaling over 3 terabytes of raw, sensitive data.
What’s even more concerning is that 94% of these passwords were either reused, predictable, or both. Only about 6%—approximately 1.1 billion entries—were unique. According to Cybernews researcher Neringa Macijauskaite, this mass leakage isn’t just a result of one-off incidents, but a systemic failure in how people create and manage passwords. “The issue isn’t just weak passwords,” Macijauskaite explained. “It’s how often they’re reused across platforms.”
Massive Password Leak: 19 Billion Credentials Exposed from 200 Data Breaches
The findings bring renewed focus to the ongoing issue of password cracking, a method increasingly employed by hackers who no longer need to guess login credentials manually. Instead, they rely on credential stuffing tools that run these billions of known credentials across countless websites and services. With an average success rate of 2%, these tools are leading to thousands of compromised accounts, ranging from email and social media to banking and cloud services—on a daily basis.
Among the most frequently found passwords in the massive dataset was the notorious “123456,” which appeared over 338 million times. Other commonly reused credentials included the default terms “password” and “admin”—still widely present despite repeated warnings from security experts. These types of passwords are particularly prevalent in IoT devices, routers, and corporate tools, where defaults are seldom changed and frequently reused.
Weak, Reused, and Predictable Passwords Dominate the Dataset
Common themes continued to dominate the leaked credentials. Names like “Ana” appeared in nearly 179 million passwords, with countless others derived from personal identifiers. Words from pop culture (“Mario”), expressions of affection (“love”), food (“pizza”), city names (“Rome”), and even profanity were frequently seen. While these choices might seem creative or personal, they represent the knowledge gap among netizens when creating passwords.
The analysis also revealed the average password length falls between 8 and 10 characters, with eight being the most common. Roughly 27% of leaked passwords consisted solely of lowercase letters and numbers—making them particularly susceptible to brute-force attacks. Less than 20% used a combination of uppercase, lowercase, and numbers, and only a small percentage included special characters. These findings highlight a critical vulnerability: predictable patterns that make password cracking faster and easier for attackers.
Password Cracking Tools Exploit Human Habits with High Success Rates
Yet, there is a small sign of progress. While only 1% of passwords in 2022 featured a combination of lowercase, uppercase, numbers, and symbols, that number has now risen to 19%. This improvement is likely due to more stringent password policies enforced by websites and platforms, though user behavior overall remains largely unchanged.
The scale of this password leak signals a pivotal moment in cybersecurity. Despite the rise in two-factor authentication (2FA), which is often the only real protection when weak passwords are used, the overreliance on passwords remains a persistent weak link. Experts are now urging both users and technology companies to shift away from password-dependent systems entirely.
