A massive cache of more than 16 billion leaked passwords, including credentials linked to major platforms like Apple, Facebook, and Google, has been discovered online, highlighting the urgent need for users to update their passwords and strengthen their digital security practices.
Cybersecurity researchers from Netherlands-based firm Surfshark analyzed publicly available breach data and found that U.S. users account for over 2.2 billion exposed credentials—more than any other country. Russia, India, and Brazil follow, but the U.S. leads both in the volume and rate of compromised accounts.
The exposed credentials span over 30 years of data breaches, and the trend is accelerating: over 250 million passwords were leaked in the first quarter of 2024 alone. These aren’t minor incidents—many of the stolen credentials are tied to widely used platforms like LinkedIn, Twitter (now X), Netflix, and Adobe, and often include combinations of usernames, passwords, and other personal data.
What’s more alarming is how many of these passwords remain extremely weak. The most frequently leaked password in the U.S. is still “123456,” and globally, similar weak combinations dominate the top of the list.
What You Should Do Right Now
If you haven’t updated your passwords recently—or you tend to reuse them across platforms—it’s time to take action:
- Change your passwords immediately, especially for your email, banking, and social media accounts.
- Use a password manager to create and securely store strong, unique passwords.
- Enable two-factor authentication (2FA) wherever available.
- Switch to passkeys on supported platforms for added security.
🔑 Passkeys are a more secure alternative to passwords, and many major platforms now support them:
- How to switch from a password to a passkey on Facebook
- How to switch from a password to a passkey on Apple
- How to switch from a password to a passkey on Google
- Monitor your accounts regularly for suspicious activity and consider signing up for a breach notification service to stay informed.
Large credential dumps like this are commonly used in credential stuffing attacks, where hackers test stolen usernames and passwords across countless websites to find working logins.
The takeaway? If you haven’t changed your passwords lately—or aren’t using passkeys where available—it’s time to act.
Source:
Adapted from Davey Winder’s reporting for Forbes.
