More Than 16B Passwords Leaked in Data Breaches: Report

Total number of leaked credentials amounts to about two accounts for every person on the planet.

A new report reveals that more than 16 billion leaked passwords are circulating online, creating major risks of account takeovers, identity theft and other cyberattacks.

In a report published by Cybernews earlier this year, investigators indicate that 30 different online databases offer access to login credentials for billions of individuals, most of which appear to be recent data not tied to previously known cybersecurity breaches.

Cybersecurity breaches occur when hackers gain access to individuals’ private online information, often including names, logins, passwords, social security numbers and other sensitive data that can be used to take over accounts or impersonate people.

More than 1 billion online accounts in America alone were impacted by data breaches in 2024, prompting lawsuits against companies like Change Healthcare, AT&T, Ticketmaster and others, over customers’ personal information being leaked, exposing them to risks of identity theft, financial fraud and other negative consequences.

In the new report, Cybernews investigators said that criminals had gained access to an “unprecedented” number of personal credentials for many major online platforms, including Apple, Facebook, Google and government websites. Investigators determined that much of the information was accessed through the use of malware and credential stuffing sets, with some also being recycled from older leaks.

Malware refers to malicious software created to damage systems, steal sensitive information, or seize control of a device without the user’s consent. Common types include viruses, worms, spyware and ransomware. Credential stuffing sets, on the other hand, are bundles of stolen usernames and passwords, often gathered from prior data breaches, that hackers use to break into other accounts where victims have reused the same login details.

The researchers noted that each of the 30 datasets contained an average of about 550 million records, many traced to sources in Russia or platforms like Telegram. The largest single dataset held 3.5 billion credentials belonging to Portuguese-speaking users.

Much of the information was presented in the same format: URL, a user login, then the password, reflecting the standard format hackers use to collect and trade stolen data.

Despite the massive amount of information discovered, the research team emphasized that they only had access to the data for a short period of time, and were not able to cross-check all of the sets, which could indicate some overlap among the records.

Data Breach Lawsuits

These widespread exposures have not only put billions of users at risk but also triggered a wave of lawsuits against companies accused of failing to protect customer data.

In February 2024, Change Healthcare announced a ransomware attack that significantly disrupted healthcare operations and compromised the names, addresses, Social Security numbers, medical histories and insurance details of an estimated 100 million people in the U.S.

As a result, individuals have filed Change Healthcare class action lawsuits against the technology company for failing to take appropriate action to safeguard their personal and healthcare information.

In addition to the massive Change Healthcare data breach, a Ticketmaster data breach exposed the personal information of more than 560 million customers as well. Individuals filed Ticketmaster data breach class action lawsuits against Ticketmaster, Live Nation and Snowflake Inc., alleging that the companies failed to take appropriate steps to safeguard customer data.

Snowflake’s role in the Ticketmaster litigation also triggered a massive AT&T data breach settlement, resolving complaints related to AT&T accounts caught up in that incident, in addition to a separate hacking event that occurred in March and affected more than 70 million people.

In June, parties in the AT&T data breach settlement negotiations announced they had reached a tentative $177 million agreement to resolve the consolidated data breach litigation. Individuals have until November 18 to submit claims for payouts.

Sign up for more legal news that could affect you or your family.