Heimdal
article featured image

Contents:

At Heimdal we’re constantly monitoring the latest industry alerts, media reports, academic research and government data to keep track of password breaches. It’s a crucial part of our work, and means we can advise our customers on emerging threats. 

To help you get up to speed, we’ve compiled this collection of some of the most notable password breach statistics of the past 12 months.

Explore this data to understand password breach trends in 2025. 

This article includes data on:

  • The sheer number of password breaches in 2024/25
  • Password hygiene issues
  • Password breaches by country
  • Behaviour and password breaches
  • Positive trends in passwords

Key password breach data for 2025

Here are the most significant password statistics we’ve identified in the past 12 months:

  • 16 billion passwords were leaked in one of the biggest data breaches of all time
  • 94% of passwords are used to access multiple accounts
  • Shockingly, ‘123456’ remains the most popular password
  • 37% of cyberattacks use brute force (that is, guessing easy passwords)
  • Only 3% of passwords meet recommended complexity requirements
  • Germany was the country with the highest number of password breaches in 2025

Password breach data for 2025 

We’ve collected data from a range of industry, academic and media sources to paint a picture of password security breaches this year. 

Massive data breach: 16 billion passwords leaked

In June 2025, media outlet CyberNews reported on a data leak containing a titanic 16 billion stolen passwords and user credentials (making it the second largest breach ever).

The cache of usernames and passwords appears to be a compilation of credentials from 30 recent data leaks. Some of these login details are entirely new, but it’s likely a significant  proportion are.

It’s also likely that there’s a fair amount of overlap between the datasets, so there may be considerably less than 16 billion unique passwords in the leak. Nevertheless, this remains a massive data dump, and will likely affect millions of people worldwide.

This comes after the so-called ‘mother of all breaches’ in January 2024, which released some 26 billion records.  

Poor password hygiene: 94% of passwords are duplicated

Early analysis of this year’s password breaches data highlights some very worrying trends regarding password management and online behaviour. 

  • 94% of passwords are being reused across two or more accounts
  • Only 6% of passwords are unique
  • 42% of passwords are short (8-10 characters)
  • 27% of password consist of only lower case letters and digits
  • Data from Verizon’s 2025 data breach investigations report shows that only 3% of passwords meet NIST complexity requirements for password best practices
  • In the breach that CyberNews discovered, there were 53 million uses of ‘admin’ as a password, and 56 million uses of ‘password’

Password guessing: brute force attacks account for 37% of breaches

Even when people’s email addresses and passwords haven’t been published online, it’s still extremely easy for hackers to use brute force attacks to guess common login details. 

According to Verizon, 37% of successful attacks against web applications used brute force in 2025, up from 21% the year before. A primary reason for this is that people are still using passwords that are incredibly easy to guess. 

In late 2024, NordPass, a password manager software company, published its latest data on the most common passwords people are using. Many of these remain worryingly weak.

According to NordPass, the top 10 most common passwords are:

  1. 123456
  2. 123456789
  3. 12345678
  4. password
  5. qwerty123
  6. qwerty1
  7. 111111
  8. 12345
  9. secret
  10. 123123

Notably, the top 10 most common passwords for personal accounts are almost identical to the top 10 passwords for business accounts.

Employers clearly still have a lot of work to do when it comes to training people on basic password safety.

These weak passwords are a problem because they make hackers’ jobs easy.

To access a victim’s account, hackers simply need to know their victim’s username or email ID. It’s then simply a case of trying out some of the common, basic password variations listed above.

Buyer’s market: credentials now cost as little as $10

The sheer quantity of passwords and accounts being breached means that it really is a buyer’s market. According to Verizon, the average price for stolen credentials on one criminal market in 2025 was just $10.

For a relatively low investment, hackers can then try reusing these passwords on multiple websites to gain access to their victims’ social media, email inboxes, online shopping accounts or cloud storage.

And why not subscribe and save? One IT managed services provider reports that some criminal groups are selling subscription packages. Hackers can now receive a reliable stream of stolen passwords for just $81 per week. 

The scale of this illegal market is vast. Verizon reports that 2.8 billion passwords were put up for sale on criminal forums in 2024 alone. 

Germany leads world in password breach statistics

Europe’s largest economy has the dubious accolade of being the country with the highest number of stolen passwords in the past year. But other nations are close behind:

Over 580,000 password data breaches took place in Germany last year according to NordPass, making it the leading country worldwide for this kind of crime.

The United States came in second place, with just over 500,000, followed by China, with 448,000 leaks. 

Only a quarter of victims are aware of breaches

Research suggests that, among the general public, there is low awareness of the data breaches that affect them. In one survey with 473 respondents, 74% of participants weren’t aware that their usernames and passwords had appeared in one or more data breaches. 

If victims don’t know their passwords have been leaked, they have no reason to take steps to secure their accounts (i.e. setting a new password and enabling MFA).

The intention vs action gap remains huge

If you knew your email and password had been hacked, would you do anything about it? Most people claim that they would, but many fail to follow up. 

In a study published in November 2024, participants were informed that their credentials had appeared on the Have I Been Pwned website. A majority (63% or 868 people) said they would change their breached password after they were told.

However, when the researchers followed up with participants two weeks later, only 27% had actually made any changes. 

This highlights a concerning intention vs action gap. Even though people know they should update their passwords when their accounts have been breached, almost three quarters fail to do so.

Many websites still tolerate poor passwords

While end users certainly bear responsibility for using weak passwords, most people struggle to remember long, complex passwords composed of random letters, numbers and symbols.

Since the average person holds 168 accounts that require passwords, expecting them to use unique passwords each time is unrealistic. It’s unsurprising that many people fall into the habit of reusing passwords.

There is therefore an argument that website owners need to shoulder more responsibility when it comes to making people use hard-to-guess logins.

A recent academic study found that many websites still make it easy to use weak passwords:

  • Around half of websites sampled don’t enforce a minimum password length
  • One third of websites don’t follow complexity and character type requirements when people open new accounts
  • More than 80% of websites still allow people to use easy-to-guess logins such as ‘P@ssw0rd’

Some positives: Passwords are getting longer and more complex

Although most of our 2025 password breach statistics are fairly dispiriting, there are some positives that emerge. 

One recent analysis compared three massive password breaches over the past 15 years (RockYou of 2009, RockYou2021 and RockYou2024).

These enormous caches contain millions of real-world passwords and provide a valuable insight into the kinds of login details people are using.  

The data shows that passwords are getting more complex in a variety of ways. 

  • Length: In 2009, 33% of passwords contained less than 8 characters. By 2024, only 10% of passwords were this short. At the other end of the scale, almost 7% of passwords contained more than 16 characters in 2024, compared to 0.85% in 2009 and 3% in 2021.
  • Declining use of names: In 2009, almost 200,000 people used a first or last name in their passwords. By 2024, this had reduced to about 150,000.
  • Increasing complexity: The researchers found that between 2009 and 2024, passwords had become more complex, using a greater variety of cases, numbers, symbols and randomization.
  • Declining uses of simple strings: There was also a decrease in the use of predictable strings of numbers or letters over time. For example, in the 2009 RockYou breach, there were over 2,500 passwords containing ‘1234’, but less than 1,000 passwords with this string in 2024.

Password breach statistics show there’s still much to improve

Password breaches have continued to be a massive problem in 2025, with one of the largest breaches ever recorded occurring this year. 

While the scale of breaches in 2025 is worrying, the most concerning issue is what those breaches show about people’s password behavior.

Analysis of the passwords exposed through cybersecurity breaches – as well as other studies – show time and again that people are still using incredibly weak passwords. This puts their personal and business information within easy reach of cybercriminals. 

What is more, surveys and experimental studies from the last 12 months show that many people fail to act – even when they’re informed their passwords have been breached.

To compound the problem, many websites are still permitting new users to create weak passwords. 

The continued reliance on passwords as a means to access the online world and business accounts is clearly not fit for purpose.

The good news is that more advanced security methods – such as multi-factor authentication (MFA) – can dramatically reduce the risks associated with weak login credentials and password breaches.

Going forward, we expect these more advanced verification methods to become the norm. 

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE