A new Cybernews study reveals over 19 billion passwords leaked online between 2024 and 2025, with 94% reused or duplicated—posing massive cybersecurity risks.
 |
| The Cybernews report exposes widespread use of weak, duplicate passwords in recent breaches, urging stronger password practices and two-factor authentication. Image: CH |
TAIPEI, Taiwan – May 6, 2025:
A sweeping cybersecurity study by Cybernews has revealed that over 19 billion passwords leaked between April 2024 and early 2025 were overwhelmingly reused, with only 6% of them unique. The report, based on data from nearly 200 incidents including major breaches involving Snowflake and SOCRadar.io, sheds light on a persistent global issue: password security negligence.
Cybernews researchers found that 94% of compromised credentials analyzed were either reused or based on simple, easy-to-guess patterns. Passwords such as “123456,” “password,” and “admin” dominated the list, with “1234” alone appearing in nearly 4% of all records—roughly 727 million times.
Names, words, and themes that are popular culturally and emotionally were also frequently used. For example, “ana” appeared in nearly 179 million passwords, often as part of longer words like “banana.” Other frequently used terms included “love,” “sun,” “joy,” and fictional characters like “mario,” “batman,” and “elsa.”
Even profanities and food items such as “apple,” “pizza,” “rice,” and “tea” made regular appearances. Popular brand names like “google,” “facebook,” and “kia” were also spotted in millions of the leaked credentials. The volume of compromised data exceeded 3TB and included not only passwords but also email addresses and personal identifiers.
The findings also highlight user tendencies to stick with basic password structures. A significant portion—about 27%—used only lowercase letters and numbers, with password lengths commonly falling between 8–10 characters. While the study noted some progress in password complexity—19% of users now include a mix of uppercase, lowercase, numbers, and symbols—that’s a modest gain compared to just 1% in 2022.
Cybernews strongly recommends adopting longer, more complex passwords and enabling two-factor authentication to mitigate future risks. As credential stuffing and phishing attacks grow more sophisticated, password reuse remains one of the weakest links in online security.