top of page

Over 24.6 Billion Usernames and Passwords Have Been Compromised Since 2016

According to a study by Digital Shadows, over 24.6 billion username and password combinations have been exposed due to data breaches. While this is the number of credentials seen available on the dark web since 2016, the rate at which compromised login credentials are growing is alarming, as the current total represents a 65 percent increase since 2020.

2019 was the most productive year for cyber criminals as 10.3 billion new login credentials were compromised. This was followed by an additional 5.1 billion username and password combinations compromised in 2020 and 4.8 billion in 2021.

Underscoring consumers’ lackadaisical approach to security is the fact that the most commonly compromised password was “123456” which represented 0.46 percent of passwords compromised from unique username and email password combinations. The top 50 most common passwords made up 2.4 percent of all unique username and password combinations while the top 100 represented 2.77 percent.

Further showing that consumers’ password practices and inherently insecure was the amount of times the same username and password combinations were compromised. Of the 24.6 billion compromised username and password combinations, just 6.7 billion, or 27 percent, were a unique pairing. This included 1.7 billion unique credential pairs since 2020.

Although it’s not just consumers who have subpar security practices, many organizations do as well. The majority of passwords that have been compromised since 2016 were sold in plain text, as just 11.2 percent were encrypted compared to 88.8 percent that were not. Keep in mind, however, that the password may have been hashed or encrypted when stored or compromised, but the hacker was able to decrypt or crack the password before posting for sale.

For more information:


bottom of page