19 billion passwords leaked online reveal large cybersecurity vulnerabilities
Passwords are outdated and it’s time for both tech companies and users to move on. So I said that. Like it or not, the weakest links in cybersecurity rely on human input. While organizations continue to invest in firewall and endpoint security, the most persistent vulnerability remains human passwords.
The Internet has long struggled with poor password practices, but recent discoveries highlight how serious the problem is.
Security researcher We discovered over 19 billion new leaked passwords collected from hundreds of violations between April 2024 and April 2025. 94% of these passwords were reusable, predictable, or both.
Hacker illustration at work. (Kurt “Cyberguy” Knutsson)
What you need to know
Data from nearly 200 cybersecurity incidents have been released, as discovered between April 2024 and April 2025. CyberNews. These were not isolated events. They included large leak repository, including combolists, steeler logs, and compromised databases. In total, 3 terabytes of raw data, consisting of over 19 billion passwords, were analyzed. It was unique to just 6% of these, over 1.1 billion.
Among the most used passwords, “123456” has appeared in over 338 million instances. Words like “password” and “administrator” followed behind despite years of public warnings. These defaults often arise from devices such as routers and enterprise tools. This device is rarely changed and is frequently reused elsewhere.
1.7 billion passwords leaked on the dark web and why you are at risk
Personal names remain the usual pattern. The name “Ana” appeared with almost 179 million passwords, followed by a myriad of other names and name-based combinations of numbers. Pop culture, food, cities, and even language were frequently themes. Words like “Mario,” “love,” “pizza,” and “Rome” were not just creative choices. Now they are security debts.
Worse, attackers don’t need to speculate anymore. They have automation. Credential filling tools run through billions of known passwords on hundreds of platforms, breaching accounts to 2% with success rates. This is equivalent to thousands of compromised profiles, bank accounts, emails and cloud tools every day.
Hacker illustration at work. (Kurt “Cyberguy” Knutsson)
200 million social media records have been leaked in major X data breaches
Bigger problems
According to Neringa Macijauskaite, a researcher at Cybernews, the core issue is not only weak passwords, but the frequency of reuse. Only 6% of unique passwords are passwords. For most users, security is completely dependent Two-factor authenticationif it is enabled at all.
Most passwords are 8-10 characters, with 8 characters being the most common. Approximately 27% of them contain only lowercase and numbers, making them extremely vulnerable to brute force attacks. Less than 20% use a mix of cases and numbers, with only a small percentage containing symbols being used.
How secure is my password? Use this test to find out
Despite widespread educational efforts, user habits remain stagnant, but one positive trend has emerged. In 2022, there were only 1% of passwords using combinations of lowercase, uppercase, numbers and symbols. That figure has grown to 19%, perhaps driven by stricter password requirements across the platform.
Get it Free scan Find out if your personal information is already on the web.
Hacker illustration at work. (Kurt “Cyberguy” Knutsson)
HR company checks 4M records published in major hacks
Password manager is the solution
Reused or weak passwords pose a major threat to not only individuals but also organizations. A single compromised password could trigger a domino effect and make multiple accounts publicly available across the service. Consider using Password Manager Generate and store complex passwords. Get my details Find the best expert reviewed password managers of 2025 here.
Four Ways to Stay Safe from Password Stealing Scammers
Protecting your data combines smart security habits with reliable tools. There are four effective ways to keep your information safe.
1. Enabling 2-factor authentication (2FA): Even if your password is stolen 2FA Adds an additional layer of security by requesting second form of verification, such as verification of authentication app code and biometric authentication. Cybercriminals rely on stolen usernames I have a password that breaks into my account, but with 2FA enabled, I can’t access it without additional security steps. Please enable 2FA on important accounts such as email, banking, and work-related logins.
2. Use powerful antivirus software and beware of downloads and links. Infostealer malware is the root cause of why passwords are there. It often spreads to malicious downloads, phishing emails, and fake websites. Do not download software or files from unreliable sources. Always double-check the link before clicking. It is recommended that attackers stick to official websites and app stores for download, as they disguise the malware as legitimate software, game cheats, or crack applications.
The best way to protect yourself from malicious links to install malware is to install powerful antivirus software on all your devices, as it may access your personal information. This protection can also warn you that it will phish email and ransomware fraud and keep your personal information and digital assets safe. Get the best 2025 Antivirus Protection Winners picks for Windows, Mac, Android and iOS devices.
3. Keep your software up to date: Cybercriminals leverage outdated software to provide malware. Keep your operating system, browser and security software up to date Ensures that known vulnerabilities are patched. Install reputable antivirus or endpoint protection software that enables automatic updates whenever possible and allows you to detect and block Infostealer threats before compromise your system.
4. Please consider the Personal Data Deletion Service. These services will help you delete your personal information from data broker sites and reduce the risk of identity theft, spam and targeting fraud. Although there is no service that guarantees the complete deletion of data from the Internet, data deletion services are truly a wise choice. They’re not cheap, and neither is Your Privacy. These services do all of their work by proactively monitoring and systematically erasing personal information from hundreds of websites. It has given me peace of mind and has proven to be the most effective way to erase personal data from the internet. By limiting the available information, you reduce the risk that scammers cross-referencing your data from violations, providing information they may find on the dark web, making it difficult for them to target you. Please see the top picks for data deletion services.
Important takeouts in your cart
After all, the password hasn’t cut it anymore. The number of leaked passwords and the fact that fewer unique ones are indicative of how vulnerable we are. Cybercriminals are smarter and faster, but don’t have to be easy. You can have some control over this situation by using a password manager, enabling two-factor authentication, updating your software, and considering additional privacy tools. You may try a little to change your old habits, but the peace of mind you get is worth it.
Click here to get the Fox News app
What number of accounts use the same password or its variation? Write us and let us know cyberguy.com/contact
For more information about my tech tips and security alerts, sign up for our free Cyberguy Report Newsletter cyberguy.com/newsletter
Please ask Cart questions or tell us what stories you would like us to cover.
Follow your cart on his social channels:
Answers to the most accused Cyber Guy questions:
New from Cart:
Copyright 2025 cyberguy.com. Unauthorized reproduction is prohibited.