Cybersecurity researchers have discovered over 19 billion compromised passwords are freely circulating online, accessible to anyone with malicious intent.
Researchers analyzed more than 200 data breaches that occurred between April 2024 and April 2025, finding the vast majority of leaked credentials were either weak or reused.
According to the Cybernews research team, only six percent of the exposed passwords were unique. The remaining 94 percent were either duplicates or reused across multiple accounts.
The researchers said this highlights a ‘widespread epidemic of weak password reuse,’ which leaves users highly vulnerable to ‘dictionary attacks’ — when hackers attempt to guess a password by running through a list of commonly used words and phrases.
‘For most, security hangs by the thread of two-factor authentication — if it’s even enabled,’ said Neringa Macijauskaitė, information security researcher at Cybernews.
She and her colleagues also found that nearly a third (27 percent) of the leaked passwords only contained lowercase letters and numbers, and 42 percent were too short — only eight to 10 characters long.
And despite being known for their hackability, ‘lazy’ passwords like ‘password,’ ‘admin’ and ‘123456’ are still widely used.
Cybersecurity experts have long warned about the dangers of using and repeating weak passwords, but this new report suggests their efforts have been in vain.
A shocking new report has found that 19 billion compromised passwords are freely available online to any hackers who wish to use them
‘There is no progress [on password security] over the decades, highlighting the need to accelerate the adoption of more secure authentication methods,’ the researchers stated.
Several high-profile cybersecurity breaches have taken place over the last year, including multiple attacks on the cloud-based data storage platform Snowflake, and the Ticketmaster leak, which exposed up to 560 million users’ personal data.
These and other incidents have ‘poured billions of passwords and other data into cybercriminals’ hands,’ according to Cybernews.
The dataset included leaked databases, lists containing combinations of usernames or emails and passwords, and data files generated by malicious software.
The data was ‘loaded with information that could be used to steal accounts or impersonate affected people in identity theft attacks,’ Cybernews stated.
The researchers filtered and anonymized the data to make sure that no personal or identifiable information was used during processing, and Cybernews deleted all the data after completing its analysis. It does not retain any copies of the dataset.
They used public information sources, cybersecurity intelligence and automated tools to analyze the data, gathering information about password length, character composition and the use of special characters, digits and uppercase letters.
The team found that ‘1234’ was used in over 727 million passwords, nearly four percent of all passwords. The slightly longer sequence ‘123456’ was found in 338 million passwords.
Cybernews found that an alarming number of leaked passwords only contained numbers or lowercase letters. Strong passwords should contain both, in addition to uppercase letters and special characters
The researchers compiled a dataset of login credentials exposed by leaks and breaches that happened between April 2024 and April 2025
‘Password’ and ‘123456’ have been the most popular passwords since at least 2011.
There were 56 million instances people using ‘password’ and 53 million entries for ‘admin,’ suggesting that default passwords like these are still widely used.
‘The ‘default password’ problem remains one of the most persistent and dangerous patterns in leaked credential datasets,’ Macijauskaitė said.
‘Attackers, too, prioritize them, making these passwords among the least secure.’
Many digital systems originally provide these defaults, such as routers or phones with 1234 PINs. If users never change them or reuse them elsewhere, they are putting their accounts at risk.
The analysis also revealed that eight percent of passwords included the user’s name, making them easier to guess.
These results highlighted what not to do when setting a password for a new account.
Based on their findings, the researchers have shared guidelines for creating strong passwords that will protect your accounts from hackers.
First and foremost, they recommend never reusing a password and making sure each one is at least 12 characters long, includes both uppercase and lowercase letters, numbers and at least one special symbol.
You should also avoid using any words, names, sequences or other recognizable strings of characters.
Because it can be tricky to multiple unique passwords, the researchers recommend using a secure password manager to store them. Some will even create strong passwords for you.
Enabling multi-factor authentication whenever possible will add another layer of protection to your accounts, as this requires you to provide multiple forms of verification in addition to your login credentials.
Taking these measures will help protect your sensitive information from hackers trying to steal it.
