19 Billion Stolen Passwords For Sale Online — New Warnings Issued
Billions of stolen passwords are now available online.
I recently reported how an incredible 19 billion stolen passwords had been found to have been published on the dark web and criminal marketplaces online. That article went viral in a way I never expected, but that’s a good thing considering what has emerged since. Two new warnings have been issued, which are of particular importance given the ongoing reports of compromised passwords and how they are being used in cyberattacks. Take heed of these warnings now and ensure you are not the next victim.
Whose Password Is It Anyway?
Although you might think you are on top of the whole password construction and usage thing, the chances are that is not actually the case for far too many people. I mean, after all, when one new report reveals that there were 2.9 billion unique yet compromised passwords available on dark web forums and Telegram channels across 2024, you have to wonder whose passwords you are using. If you don’t follow strictly random processes for creating long and strong passwords, such as employing a password manager to generate them for you every time, along with secure management practices to prevent reuse, did I mention password managers already, then you are likely part of the problem, my friend.
The 2025 password table, published by Hive Systems, brings real-world insight into how quickly your password can be cracked. I should, at this point, say that I’m not a huge fan of the how long does it take to crack a password approach to credentials security, not least as the propensity of infostealer malware rather makes that irrelevant, but it serves a purpose to illustrate password construction hygiene anyway. The newly published password table report, authored by Corey Neskey, vice president of quantitative risk at Hive Systems, focuses on a hacker using a black box process starting from scratch to crack an unknown hash. But Neskey acknowledged that “if your password was part of another breach or uses dictionary words, then your password table looks like this,” the this being a table with just the word “instantly” repeated over and over.
Marcus White is a cybersecurity specialist at Specops who specializes in authentication, password security, password management, and compliance. He is, without any shadow of a doubt, a password expert. A May 13 report authored by White goes into some detail about the passwords that hackers are using to specifically attack file transfer protocol ports. While this m ight seem rather niche, it’s nothing of the sort. FTP is one of those things that hackers like to attack, often using brute force, because it’s usually an easy route into your network. Indeed, Specops research team has been analysing the last 30 days of FTP port attacks against live networks to determine the most common passwords used by the threat actors concerned. “Knowing the tactics real-world attackers are using,” White explained, “can help you shape your organization’s password policy and defend against brute-force attacks.” Importantly, brute-force attacks will use known passwords and username combinations until access is achieved. Can you guess where a lot of these credentials come from? Bingo! Those infostealer logs.
The Infostealer Password Problem And How To Solve It
As cybersecurity expert at threat exposure platform NordStellar, Vakaris Noreika, told me, the threat from infostealer malware is far greater than most people imagine. It’s not just the fact that so many passwords, and other credentials such as session cookies to bypass two-factor authentication protections, are being stolen, but also the ease of access that cybercriminals have to them. “Dark web users can purchase stealer logs by subscribing to a private channel,” Noreika said, referring to Telegram channels where such access to millions of compromised passwords can be had for as little as $81.
So, how do you solve a problem like stolen passwords at scale? You are probably not going tomorrow like this much, but that answer is an obvious one: stop using the darn things. Why risk your carefully constructed, seemingly strong password when you can just use a much more secure and infinitely harder to compromise passkey? If you can’t yet use a passkey for any service, then please, don’t reuse your passwords.