Over 19 billion passwords were leaked in the last year alone amid what experts are calling a cybersecurity “crisis.”
But there are ways to protect yourself.
A new study by Cybernews examined more than 200 data breaches between April 2024 and 2025, and found that of the 19,030,305,929 newly exposed passwords, 94 percent of them were reused or duplicated – in some cases by different users entirely.
“We’re facing a widespread epidemic of weak password reuse,” noted Neringa Macijauskaite, information security researcher at Cybernews. “Only 6 percent of passwords are unique, leaving other users highly vulnerable to dictionary attacks. For most, security hangs by the thread of two-factor authentication – if it’s even enabled.”
Experts called for an acceleration of tighter security methods, highlighting that cybercriminals only require an exposed password to then access email addresses and other personal data.
The leaks examined by researchers were “loaded with information that could be used to steal accounts or impersonate affected people in identity theft attacks,” the study noted.
The study found that millions still favor basic passwords that are easy to remember – and easy for hackers to guess. “Password” is used by 56 million people, and 53 million use “admin.”
Researchers also found that “1234” is in almost 4 percent of all passwords, which is easy for hackers to guess.
People’s names were the second most popular choice for a password.
“Many users choose a name as part of their password. We cross-referenced the dataset with the 100 most popular names of 2025 and found that there’s a whopping 8 percent chance for them to be included as part of a password,” Macijauskaite said.
Others opted for positive words such as “love,” which was in 87 million passwords analyzed, and “sun,” used in 34 million. Swear words are also common in passwords, the research revealed.
“Passwords built from profane or offensive words might seem rare, but they’re actually very common in practice,” Macijauskaite said. “Passwords containing profanity often originate from attempts at personalization or memorability. However, such terms are prevalent in attacker wordlists and pose a substantial risk to account security.”
Use password managers to create and store unique passwords for different accounts.
Never reuse passwords.
Make sure your password is at least 12 characters long and includes uppercase and lowercase letters, numbers, and at least one special symbol.
Enable multi-factor authentication when possible, which reduces the risk even if passwords are leaked or hacked.
Review access controls regularly, and perform regular security audits. Monitor and react to credential leaks.
