Experts urge people to act fast as 19,000,000,000 passwords are leaked in major hack

We're all warned about the continued dangers of cyber attacks in 2025, but according to a new report, things could be even more desperate than we first thought.

Cybersecurity crackdowns are everywhere, but unfortunately, that doesn't stop bad actors from slipping through the virtual net and getting into our private details.

Microsoft has already tried to ditch password sign-ins as an attempt to bamboozle hackers, and as we've seen, it can take mere milliseconds to crack the average password.

Forbes' Davey Winder has been keeping an eye on the password pandemic, previously estimating that passwords finding their way onto the dark web has risen from 800 million to up to 2.1 billion.

The password pandemic is only getting worse (Richard Newstead / Getty)

In a new report, Winder claims that infostealer malware attacks could be responsible for even more leaks, potentially meaning a jaw-dropping 19 billion passwords are out there and up for grabs.

Since April 2024, there have apparently been 200 security incidents, leading to 19,030,305,929 hacked passwords being readily available online.

Winder warns: "The takeaway being that you need to take action now to prevent becoming a victim of the automatic password hacking machine epidemic."

He blames 'password laziness and reuse', with only 6% (1,143,815,266) of the 19 billion being unique. When you realize 94% of these passwords were reused across accounts and services, it shows why cybercriminals are likely rubbing their hands right now.

Added to this, 42% of the passwords were said to be in the short range of 8-10 characters in length, while 27% consisted of only lowercase letters and digits without special characters or mixed case.

Cybernews information and security researcher Neringa Macijauskaitė said: "The default password problem remains one of the most persistent and dangerous patterns in leaked credential datasets."

We all know about the passwords that are most commonly used, with the breach showing 53 million uses of 'admin' and a baffling 56 million users of 'password'.

Macijauskaitė added: "Attackers, too, prioritize them, making these passwords among the least secure."

It's easier than ever for hackers to get into your personal details (boonchai wedmakawand / Getty)

We're also told never to reuse passwords across multiple platforms. While it might be a faff to try and remember unique passwords for each individual service, considering how many we have these days, Macijauskaitė concluded: "If you reuse passwords across multiple platforms, a breach in one system can compromise the security of other accounts, creating a domino effect

“Attackers constantly harvest the latest credential dumps from exposed info-stealers and recently cracked hashes available publicly.

"These fresh datasets enable waves of highly effective credential-stuffing attacks, often bypassing traditional security defenses."

In terms of where we're being targeted, Paul Walsh, CEO of MetaCert and co-founder of the W3C Mobile Web Initiative in 2004, reiterated that the latest national SMS phishing test carried out by MetaCert showed that the likes of T&T, Verizon, and T-Mobile failed to stop phishing messages from being delivered.

Walsh has written an open letter explaining: "The cybersecurity industry has no shortage of experts in email security, endpoint protection, or network defense, but when it comes to SMS infrastructure and security, there is a distinct lack of deep expertise."

It seems that our smartphones are the latest to be targeted by hackers, so don't click any of those unknown links and send your passwords out into the world.