This is not only an alarming statistic but also a wake-up call about the rapid increase in attacks using malware to steal information.

Alarming reality from 19 billion leaked passwords

A database containing 19,030,305,929 passwords was stolen from approximately 200 security incidents in just 12 months (since April 2024).

This database is particularly dangerous because it only contains passwords associated with specific email addresses, ready for hackers to exploit.

A new analysis from the Cybernews research group reveals a terrifying truth: Only 6% of these 19 billion passwords are unique. This means that the remaining 94% of passwords have been reused across multiple accounts and services, opening the way for hackers to easily gain mass access.

Additionally, 42% of passwords are only 8-10 characters long, and 27% contain only lowercase letters and numbers, with no special characters or uppercase letters.

These passwords are extremely easy to crack using brute force or credential stuffing techniques.

According to the report, default passwords such as "admin" (appeared 53 million times) and "password" (56 million times) are still widely used, making them a top target for cybercriminals.

“The default password problem remains one of the most persistent and dangerous patterns in leaked credential data sets,” stressed Neringa Macijauskaitė, security researcher at Cybernews.

The fight against SMS fraud

Paul Walsh, CEO of MetaCert and co-founder of the W3C Mobile Web Initiative, has criticized the cybersecurity industry's ineffectiveness in preventing SMS phishing - one of the main methods leading to password theft.

Walsh asserts that most cyber attacks originate from phishing.

A report from security research group Resecurity further illuminates the threat of smishing.

Resecurity's investigation found that the cybercriminal group responsible for this, called the Smishing Triad, has been active since at least 2023, and is capable of sending up to 2 million fraudulent SMS messages per day, targeting 720 million victims per year.

Another organization, possibly a branch or successor to the Smishing Triad, uses Telegram channels and automated bots to provide smishing services.

They primarily distribute via Apple's iMessage and Android's RCS platform, and also purchase large numbers of compromised Gmail and Apple accounts to fuel large-scale campaigns.

These groups' smishing toolkits can be customized and deployed on any server, demonstrating an alarming level of sophistication and scale of operation.

Unforeseen consequences

Smishing doesn’t just threaten your passwords. It also fuels credit card fraud, contactless payment (NFC) fraud, and complex money laundering chains, costing financial institutions and individual users globally millions of dollars each year.

Clearly, the fight against password theft and online fraud requires heightened vigilance from each individual and a stronger commitment from the entire cybersecurity industry to protect users against increasingly sophisticated threats.

Without drastic action, reports of billions of compromised passwords will continue to emerge.

Experts warn that users need to act immediately to protect themselves by:

Never reuse passwords: This is the most important recommendation. If you reuse passwords, a breach in one system can lead to a series of compromises in your other accounts, creating a dangerous "domino effect."

Change default passwords immediately: This is a quick and effective measure to reduce the risk of being hacked.

Use strong, unique passwords: Combine uppercase and lowercase letters, numbers, and special characters. Consider using a password manager to generate and securely store complex passwords.

Source: https://dantri.com.vn/cong-nghe/19-ty-mat-khau-bi-danh-cap-duoc-cong-khai-de-doa-nghiem-trong-nguoi-dung-20250506235452360.htm