This Massive Data Breach Shows Why We Need to Ditch Passwords Once and for All
Passwords are the backbone of both the Internet and computing in general. Even with the advent of new authentication protocols, from passwords to biometrics, most of us still use passwords to log into our everyday accounts and websites using a code made up of letters, numbers, and symbols.
The problem is that the password was really a product of its time and doesn’t belong in the modern digital age. Cybersecurity threats have evolved so much beyond the ability of a password to protect against them that they’ve effectively become a liability — even if you follow best practices for creating and maintaining them. Case in point: news of the latest data breach, one of the largest in history, in which researchers found not millions but billions of passwords circulating online.
Sixteen Billion Passwords Have Been Leaked Online
Cybernews broke the news on Friday : This year, the publication’s researchers found 30 data sets online, each containing between “tens of millions and more than 3.5 billion records.” In total, the researchers said, they found 16 billion passwords leaked online.
What’s more, all of these passwords were recently leaked. None of them had been reported in previous data breaches, except for about 180 million passwords found in an unsecured database in May. Researchers say they continue to find new “massive” data sets every few weeks, so there’s no sign of the discoveries slowing down.
The way the data was structured strongly suggests that the stolen credentials were obtained using infostealers, malware that steals just such information from your devices, the researchers said. The attackers were able to obtain login details for major accounts including Apple, Google, GitHub, Facebook, Telegram, and government services. As Cybernews makes clear, this does not mean that these companies themselves suffered a data breach; rather, the database contained URLs to these companies’ login pages that had been copied from individual devices, likely using malware.
Some of the credentials also contained additional data beyond usernames and passwords, including cookies and session tokens. This means that this information could be used to bypass two-factor authentication (2FA) for certain accounts, especially those that do not reset cookies after a password change.
If there’s one silver lining to this story, it’s that the 16 billion stolen passwords don’t represent 16 billion individual records; there is some overlap, although it’s unclear how much: while it’s safe to say that fewer than 16 billion individual accounts were affected by these breaches, it’s hard to pin down an exact number.
What can attackers do with this data?
First of all, if your accounts are only protected by a password and you haven’t changed your password in a while, an attacker could take advantage of this password database leak to gain access to your account.
But the implications go beyond that. As mentioned earlier, leaked cookies and session tokens can be used to compromise accounts with weaker 2FA. If your account doesn’t reset its cookies after you change your password, they can trick the 2FA system into thinking you’ve provided the correct 2FA code or credentials. They can also use this information in phishing schemes: hackers can use your password to trigger a 2FA code generation. When the code arrives, they can try to trick you into handing it over, potentially impersonating the company behind the account in question. If and when you submit the code, they’ll have access to your account.
Why It’s Time to Ditch Passwords Completely
This level of complex (and routine) data breaches simply wasn’t uncommon when the password became popular as a primary digital security tool. For years, tech and cybersecurity experts have been preaching the importance of using a combination of strong and unique passwords, password management tools, and 2FA to keep your accounts safe and secure. All of that is still important today, but when there are malware programs that can scrape your credentials right off your devices, those tactics don’t seem so foolproof anymore.
The fact is that a security system that relies on things being stolen is not a secure system in 2025. Something has to change – and fortunately, it is.
Passwords are much more secure
Going forward, it’s time to take passwords much more seriously. Unlike passwords, passwords are not at risk of being stolen, and attackers cannot trick you into sending them your password. The technology is tied to a device you personally own, such as a smartphone, and is protected by strong authentication. Without a face scan, fingerprint scan, or PIN entry on a designated personal device, no one will be able to access your account.
Passwords combine the best aspects of passwords and two-factor authentication: they’re convenient because you can quickly authenticate with your smartphone (like autofilling with a password manager), but they require you to have that personal device on hand to access your account, just as two-factor authentication requires you to have an additional authentication method to log in.
More and more companies are starting to use passwords as a form of authentication, including Apple , Google , Facebook , Microsoft , and X. If any of your accounts support passwords, I highly recommend you set them up. That way, when the next inevitable data breach happens, you’ll be protected.
What to do with accounts that don’t accept passwords
Of course, not all accounts can use passwords right now. In such cases, you will need to strengthen your password security as best as possible.
First, make sure each of your accounts has a strong, unique password. This means it can’t be easily guessed by a human or computer, and it means you haven’t used it for any other account before. While you don’t need to change your passwords as often as traditional security advice suggests, given the news, you may want to update your passwords, just to be safe.
It’s impossible to remember all those strong, unique passwords, which is where a good password manager comes in. These services use strong encryption to protect your password database — all you need to remember is one strong, unique password that you use to access the password manager, and the app can remember the rest. Some of these services also come with other tools, like an authenticator code generator, so they’re worth the investment. PCMag has a list of the best password managers for 2025 if you’re looking for hand-reviewed recommendations.
Speaking of authenticators, set up 2FA for every account that supports it — which should be most of them at this point. While passwords are the strongest form of authentication, 2FA still adds to your security if your password is leaked. Without a code or authentication tool like a security key, attackers won’t be able to access your account even if they have your password.
Finally, as more websites and companies continually add password support ( including, earlier this week, Facebook ), continue to monitor your accounts for this option and make the switch as soon as possible. Stay safe out there.