Confirmed — 19 Billion Compromised Passwords Published Online
19 billion exposed passwords analyzed and it’s not good news.
Update, May 5, 2025: This story, originally published May 3, has been updated with details of an open letter to the cybersecurity industry asking why the phishing threat behind the stolen passwords epidemic has yet to be fixed.
In just the last few months, I have reported on confirmed lists of stolen passwords being made available on the dark web and in criminal forums that have risen from 800 million to 1.7 billion and even as high as 2.1 billion, mainly thanks to the rise and rise of infostealer malware attacks. But a new report has just blown even those shockingly large statistics out of the water with an analysis of 19 billion such passwords that are available online right now to any hackers who want to seek them out. The takeaway being that you need to take action now to prevent becoming a victim of the automatic password hacking machine epidemic.
The 19 Billion Exposed Passwords Hacking Problem
Imagine having access to 19,030,305,929 passwords that were compromised by leaks and breaches over the course of 12 months from April 2024 and involving 200 security incidents. Imagine that only sources where email addresses were available for consumption alongside the stolen password were included in this massive database. Oh, and forget about including any of those word-list compilations, such as RockYou, that regularly do the rounds but are about as useful to a criminal hacker as a chocolate router. Finally, get to grips with the fact that this dataset only includes passwords that have become publicly available in criminal forums online. Once you digest all of this, you can appreciate how huge, in all senses of the word, this really is, especially to any hacker with criminal intent.
The analysis, published May 2 by the Cybernews research team, makes for truly eye-opening reading. It’s so wide-ranging and security-scary in equal measure that it’s hard to know where to start, so the beginning seems as good a place as any: password laziness and reuse. Of the 19,030,305,929 passwords that ended up exposed online, only 6% of them, or 1,143,815,266 if you like to be precise, were unique. Switch that around to 94% of them being reused across accounts and services, whether by the same or different people is moot, and you can see why the average cybercriminal gets very excited about the hacking potential such lists provide.
Now throw in that 42% of the passwords were short, way too short, being only 8-10 characters in length. That now opens up the hacking potential to brute force attacks as well as credential stuffing. Ah, yes, and it just keeps getting worse; 27% consisted of only lowercase letters and digits, no special characters or mixed case. Sigh.
Act Now To Mitigate The Stolen Passwords Threat
According to Neringa Macijauskaitė, an information security researcher at Cybernews, “the default password problem remains one of the most persistent and dangerous patterns in leaked credential datasets.” The analysis revealed that there were 53 million uses of admin and 56 million of password, for example. Changing these is one quick way to help mitigate against hackers, as Macijauskaitė said, “attackers, too, prioritize them, making these passwords among the least secure.”
Not reusing your passwords, ever, not at all, is another prime mitigation recommendation. “If you reuse passwords across multiple platforms, a breach in one system can compromise the security of other accounts, creating a domino effect,” Macijauskaitė warned. Meaning that even without any existing system compromise, attackers are able to exploit common password patterns in their hacking exploits. “Attackers constantly harvest the latest credential dumps from exposed info-stealers and recently cracked hashes available publicly,” Macijauskaitė concluded. “These fresh datasets enable waves of highly effective credential-stuffing attacks, often bypassing traditional security defenses.”
An Open Letter To The Cybersecurity industry — Stopping The Stolen Passwords Problem
Paul Walsh, CEO of MetaCert and co-founder of the W3C Mobile Web Initiative in 2004, knows a thing or two about the problem of malicious messaging and has been involved in the creation of internet standards to protect against it. In conversation, Walsh told me that the latest national SMS phishing test carried out in March by MetaCert and including carriers such as AT&T, Verizon, T-Mobile and Boost Mobile, was as disappointing as it was expected. “Every phishing message was still delivered,” Walsh told me, “none were blocked, flagged, or rewritten.” This is, to say the least, given that the vast majority of phishing platforms are now developed to target mobile devices, overtaking email in this regard in 2024 according to ProofPoint. When you consider that phishing attacks, on whatever platform, are the starting point for most cyber attacks, it’s no great leap to realize that the compromised passwords problem could be drastically reduced, if not stopped dead, by addressing the social engineering issue. Walsh has now written an open letter to the cybersecurity industry asking why the SMS phishing problem hasn’t been solved ages ago?
“The cybersecurity industry has no shortage of experts in email security, endpoint protection, or network defense,” Walsh said, “but when it comes to SMS infrastructure and security, there is a distinct lack of deep expertise.” His letter, therefore, is a call to action by security vendors who have “built multi-billion-dollar businesses on stopping phishing in email and corporate networks,” Walsh said, “yet the most trusted communication channel on the planet — SMS — remains an open, unprotected target.” Walsh demands that the same effort that has been made to address email security must now be made for the SMS vector because, he concluded, “criminals have already moved in full force, and the industry is failing to respond.” Unless this happens, and happens with the full might of the cybersecurity industry behind it, I fear that I will be reporting about the compromise of user passwords for some time to come yet.
Source link
