A chilling glimpse into online security emerged from a year-long investigation by security researchers who sifted through a staggering six billion leaked passwords. The resulting report isn’t just a list of compromised credentials; it’s a stark warning about the persistent vulnerabilities that plague our digital lives and the scale of the ongoing threat.
The most frequently stolen passwords reveal a disturbing lack of imagination. Topping the list, yet again, are predictably simple combinations: “123456,” “123456789,” “12345678,” “admin,” and, unbelievably, “password.” These aren’t anomalies; they represent a significant portion of compromised accounts.
Beyond these basics, researchers found widespread use of common words like “hello,” “welcome,” “guest,” and “student,” suggesting these breaches aren’t limited to personal accounts. Company, university, and even public access data are frequently exposed due to such easily guessed credentials. The keyboard-row staple, “qwerty,” also continues to appear with alarming regularity.
The pattern of adding predictable suffixes like “@123” or “@1234” to names, countries, or common words further illustrates the problem. Users are consistently demonstrating a lack of creativity, making themselves easy targets. Simply adding a capital letter or special character to a predictable pattern isn’t enough to provide real security.
Interestingly, the majority of analyzed passwords clocked in at exactly eight characters – likely influenced by the length of the word “password” itself. Passwords shorter than eight characters were far less common, while just under a sixth reached that length. This highlights a concerning tendency towards minimal effort in password creation.
The investigation also identified the most prolific infostealers responsible for harvesting these credentials between January and December 2025. LummaC2 led the pack with over 60 million stolen passwords, followed by RedLine (31 million), Vidar (nearly 6 million), StealC (over 3 million), and Raccoon Stealer (over 1.6 million).
Collectively, these five malware families account for the theft of almost 100 million login details. This demonstrates that password breaches often occur on a massive scale, impacting millions simultaneously, as evidenced by a recent, large-scale leak supported by the FBI.
Less tech-savvy individuals, frequently targeted by phishing campaigns, are particularly vulnerable. The rise of Lumma Stealer is especially concerning, as it has rapidly climbed the ranks of the most dangerous programs. Infostealer developers are also refining their offerings, creating increasingly effective and bundled packages.
Protecting yourself requires a fundamental shift in password habits. Both individuals and system administrators must prioritize strong, complex passwords that avoid common patterns. Utilizing a password manager is a crucial step in generating and securely storing unique credentials.
Enabling two-factor authentication adds an essential layer of security. Regularly checking if your password has been involved in a past breach is also vital. Resources are available to help you determine if your credentials have been compromised.
Regular password resets and updates are another important defense. Administrators can enforce specific password policies, such as requiring changes annually or at defined intervals, to proactively mitigate risk and strengthen overall security posture.