HQ/EMEAFind out how we can help your business
A record-breaking 19 billion compromised passwords have been exposed online, marking one of the largest known security risks to internet users globally. According to recent research, these passwords, paired with email addresses, have been gathered from over 200 data breaches between April 2024 and April 2025 and are now freely circulating on criminal forums.
This massive database contains only verified, publicly available login credentials, excluding outdated or recycled lists. Alarmingly, only 6% of the passwords were found to be unique, with the remaining 94% reused across multiple accounts, which is a practice that significantly increases vulnerability. Weak passwords, such as “admin” and “password,” were each used tens of millions of times, making an easy target for hackers.
Further analysis showed that 42% of the passwords were between just 8 and 10 characters in length, while 27% consisted only of lowercase letters and digits. Such combinations are particularly susceptible to brute-force and credential-stuffing attacks, which are automated methods commonly used by cybercriminals to gain unauthorised access to personal accounts.
Experts urge the public to take immediate action. Reusing passwords across different services means that if one account is breached, it can trigger a chain reaction, putting all linked accounts at risk. Creating long, complicated, and distinct passwords for each site is still one of the best defences against these attacks.
The issue of compromised passwords is closely tied to phishing campaigns, which are often the starting point for such breaches.
Text-based phishing, in particular, has grown rapidly and is now considered a major threat vector. Despite years of advancements in online security, many mobile phishing messages still bypass existing defences, reaching users directly and tricking them into revealing login credentials.
A new wave of cybercrime has emerged from organised groups exploiting this weakness. One such group, known for operating under the name Panda Shop, has developed and distributed smishing (SMS phishing) kits that are highly automated and scalable. These kits are capable of sending millions of phishing messages daily through platforms such as messaging services and mobile carriers. Panda Shop also leverages compromised email and device accounts to increase the reach and credibility of their attacks.
With phishing techniques becoming more advanced and widespread, compromised passwords are no longer just a technical concern but a growing global security threat. Battling this epidemic requires not only individual vigilance but also a stronger and unified response from the cybersecurity industry.
