19 Billion Passwords exposed

In the period between April 2024 and April 2025, there were over 200 major data breaches, 2 of them involving the potential exposure of every single social security number ever issued by the US Government. 19 billion passwords were exposed in that time period and are now circulating the dark corners of the Internet for bad actors to access and use.

Over this time period we have urged users to change their passwords when a specific breach that we knew would directly affect the MIT community became known.

Cybersecurity researchers at Cybernews conducted an analysis of this massive drop of passwords.

The analysis covered over 200 major data breaches between April 2024 and April 2025, exposing 19,030,305,929 real passwords. Despite decades of public awareness campaigns, only 6% of the leaked passwords were unique. Common strings such as “123456” and “password” continue to dominate, with the former appearing in 338 million cases. A further 56 million included the term “password,” and 53 million featured “admin.”

The password breaches in this time period included but are not limited to Gmail, Outlook, and Last Pass. All users should have changed the passwords they used for these services already.

Warning — 19 Billion Compromised Passwords Have Been Published Online
https://www.forbes.com/sites/daveywinder/2025/05/06/new-warning—19-billion-compromised-passwords-create-hacking-arsenal/

19 Billion Passwords Leaked as Study Finds 94% Are Reused or Duplicated, Fueling Cybercrime Surge
https://www.btimesonline.com/articles/174148/20250507/19-billion-passwords-leaked-as-study-finds-94-are-reused-or-duplicated-fueling-cybercrime-surge.htm


Best practice for secure passwords is:

  1. 12 characters or longer at least. 16 or longer is more ideal to future-proof the password.
  2. At least 1 capital letter, one number, and 1 symbol.
  3. Long but easy to remember.

Examples of good secure passwords:

PiratesoftheCarabiner!2025
TimBeaverton$the3rd$
GrandElfTheWhite!13

To maximize security and eliminate the risk of one exposed password compromising multiple accounts, please do not use the exact same password across different accounts.

A common practice to track and record passwords is to store them in password protected Word files.

For users who are not capable of tracking that many passwords, using programs like Last Past or BitWarden may be your best option. For users hesitant about using LastPass because of their 2022 security breach, then BitWarden is the recommended option.

Please let us know if anyone has any questions.