Imagine a locksmith who spent a decade pocketing spare keys from every break-in, welded them onto a single ring and quietly put the bundle up for sale. That is what security researchers recently uncovered.
This 16 billion password dump is compiled from numerous misconfigured databases of stealer-malware logs, some overlapping with earlier giants like RockYou2024 and the Mother of All Breaches. This cache of credentials includes usernames, passwords, login URLS and authenticated session data from organizations that include, but are not limited to Google, Apple, Facebook, government agencies and VPN services.
As a refresher, RockYou2024 stole nearly 10 billion unique passwords and was posted last July. The MOAB included 26 billion records from 3,876 breaches and was released in January 2024. This most recent collection of credentials represents enough stolen data to give every person on Earth two compromised accounts, and every botnet an endless supply of log-ins.
While there is some good news, as, according to Forbes, no credential in this collection was created in 2025, these 16 billion pieces of login data still represent huge concerns. As reported by DataQuest, various studies show that over 65& of users reuse passwords across multiple services. This makes a large compilation of data extremely useful for brute-force attacks where hackers essentially throw everything against a login wall to see what works in providing access.
Old Leaks Cracking New Doors
Attackers use automation to spray those combos across a number of critical industries, including the industrial sector. Additional industry findings supporting the widespread concern include:
- 88% of web-application breaches in Verizon’s 2025 DBIR involved stolen credentials.
- A working corporate session sells for about $10 on Dark Net crime forums.
- During attack spikes, over 80% of all log-in traffic on large SaaS platforms is automated credential testing.
- Only 0.1% of attempted combos need to work for criminals to succeed, and bots fire millions per minute. Even a tiny hit rate translates into thousands of live accounts.
And the financial implications cannot be ignored.
- The average cost of a breach hit a record high last year - $4.88 million.
- Breaches that start with stolen passwords take 292 days on average to detect and contain.
- The longer crooks stay undetected, the more data they siphon - with legal, reputational and recovery costs continuing to escalate.
This super-dump works only because people repeat old secrets on new sites.
- In addition to frequently reusing passwords, 13% admit to using the same one everywhere.
- 72% of Gen Z recycles passwords, and 59% reuse an old password after a breach notice. Each reused password is another skeleton key waiting for a bot to find the right door.
Regulators Are Shortening the Fuse
Governments can’t outlaw bad passwords, but they can force faster truth-telling. Some recent regulatory actions regarding credentials include:
- U.S. SEC rule: Public companies must file an 8-K on “material” cyber-incidents within four business days.
- EU NIS2: Essential entities must issue an early warning within 24 hours of a significant incident.
Cybersecurity specialists at InboxArmy have compiled a list of strategies to help lower the chances of any compromise.
- Turn on strong two-step sign-in. A second check, phone prompt, or USB key, blocks almost every password-only hack. According to the firm, 83% of IT leaders at small and mid-size firms now require MFA for staff log-ins.
- Switch to passkeys whenever you can. Passkeys live on your device; there’s no password to steal. A May 2025 FIDO survey shows 74% of consumers know about passkeys, and 69% already use at least one.
- Let a password manager do the work. Random 16-character passwords are painless when software remembers them. Most reuse happens simply because people have to remember.
- Lock down the inbox that unlocks everything. 11% of Americans have had an email or social account hijacked. Turn on unusual-sign-in alerts, add backup codes and sign out stray sessions. If crooks can’t crack your email, they can’t reset the rest of your accounts.
Breaches don’t vanish; they calcify into downloadable lists that criminals re-weaponize year after year. Until we stop recycling passwords and start embracing passkeys plus strong two-step checks, the same old leaks will keep opening brand-new doors.
This article was produced by InboxArmy - a leading email deliverability and marketing optimization platform.
