Over 19 Billion 'Lazy' Passwords Have Been Leaked

Do you think that you have strong passwords? Are you sure about it?

A new study examined more than 200 data breaches between April 2024 and 2025, and found that of the 19,030,305,929 newly exposed passwords. More that twice of the population of the whole world.

A quite interesting analysis to read and understand the password behavior of human beings and maybe to re-consider our own passwords.

https://bit.ly/3F4HVOR

Headlines:

"...Lazy keyboard patterns, such as 123456, still reign supreme, and 94% of passwords are reused or duplicated, data leaks from 2024-2025 reveal. Names like Ana rank as the second most popular component."

"'We’re facing a widespread epidemic of weak password reuse. Only 6% of passwords are unique, leaving other users highly vulnerable to dictionary attacks...'"

"Key takeaways

- Most people use 8–10 character passwords (42%), with eight being the most popular.

- Almost a third (27%) of the passwords analyzed consist of only lowercase letters and digits.

- Passwords composed of profane or offensive words might seem rare, but they're actually very common in practice.

- Despite years of being called out, default and 'lazy' passwords like 'password', 'admin', and '123456' are still a common pattern."

"The analyzed dataset contains exposed credentials from leaks or breaches that happened in a 12 month period starting with April 2024.

The data included leaked databases, combolists, and stealer logs originating from around 200 cybersecurity incidents. Only data that became publicly available was analyzed.

The leaks exposed a total of 19,030,305,929 (19 billion) passwords. Only 1,143,815,266 (6%) (1 billion) of passwords were identified as unique."

"It’s no surprise that you’ll find '1234' in almost 4% of all passwords – over 727 million passwords use this sequence. Extending it by two additional numbers, to '123456', leaves 338 million passwords using it. 'Password' and '123456' have been the most popular passwords at least since 2011."

"Many systems originally provide these defaults, such as routers with 'admin/admin' or phones with 1234 PINs. Users either never change them or even recycle these passwords elsewhere themselves."

“'Many users choose a name as part of their password. We cross-referenced the dataset with the 100 most popular names of 2025 and found that there’s a whopping 8% chance for them to be included as part of a password,' the researcher explains.

Ana was the most popular, used in almost 1%, or 178.8M passwords. This short component naturally appears in many other common words, such as 'banana' (used in 3.7M passwords).

Many users opt for passwords inspired by positive, uplifting concepts. Words like love (87M), sun (34M), dream (6.1M), joy (6.9M), and freedom (2M) dominate the positive wordlist​.

Some of the most frequently used pop culture terms in passwords include Mario (9.6M), Joker (3.1M), Batman (3.9M), Thor (6.2M), and, surprisingly, Elsa (2.9M) from Disney’s 'Frozen'.

'Positive associations, admired characters, and nostalgia make people feel familiar and are easy to recall. However, popularity becomes predictability, exploited by attackers,' the researcher explains.

Swear words are also very common in passwords. The top entry, ass (165M), can be partly explained by the use of 'pass' or 'password'. However, users often craft their passwords using fuck (16M), shit (6.5M), dick (3.2M), and bitch (3.2M)."

"Other top-most frequently used words in passwords include countries, cities, US states, food, popular brands, nature, animals, or even seasons or months.

The most popular city for passwords is Rome (13M), while 9.8M passwords include lion and 7.8M – fox. Summer (3.8M) is the most popular season, and users seem to prefer Monday (0.8M) the most to protect their accounts."

Texas Tech University Data Breach

 

Yet another breach by a hospital.

The impact is limited(!) with 1,4 million people this time. The attackers claimed that they have stolen 2,5 terabytes of data. (OMG!)

Given the critical nature of the healthcare sector, robust countermeasures against cyberattacks are essential.

Texas Tech University is notifying over 1.4 million individuals that their personal information was stolen in a ransomware attack targeting its Health Sciences Center and Health Sciences Center El Paso.

After reviewing the stolen data, the university determined that personal information such as names, addresses, dates of birth, driver’s license numbers, government ID numbers, and Social Security numbers were compromised.

Additionally, the attackers stole health insurance and medical information, including diagnosis and treatment details, and financial account information.

https://bit.ly/4ftH0DH

"After securing its systems, the university discovered that the attackers had access to its network from September 17 to September 29, 2024, and that they exfiltrated certain files and folders during that time."

"The university’s incident notice does not specifically say ransomware was used in the attack, but it does mention “temporary disruptions”, and the Interlock ransomware group has claimed responsibility for the incident.

In late October, the gang added Texas Tech University Health Sciences Center to its leak site, claiming the theft of roughly 2.5 terabytes of data, including patient information, medical research, and multiple SQL databases."

"However, Interlock is not the only ransomware group to claim an attack on Texas Tech University. In July, the Meow ransomware group was offering for sale five SQL databases allegedly containing emails, passwords, and other sensitive information from the university, along with a security vulnerability affecting the institution’s website."

Landmark Data Breach

You can take necessary cybersecurity countermeasures for your system but will that be enough?

Of course not. Quite many organizations overlook the security of their third-party service providers, which can lead to significant financial and reputational damage.

"Landmark, a Texas-based third-party insurance administrator, has disclosed a data breach that affects more than 800,000 individuals. The incident was detected in May; the compromised data include names, Social Security numbers, tax ID numbers, drivers’ license and state-issued identification card numbers, passport numbers, bank account and routing numbers, medical information, health insurance policy information, dates of birth, and/or life and annuity policy information..." (OMG! What else?)

See the link below for the summary of the breach:

https://bit.ly/3NQ28bP

https://bit.ly/3NJaEtj

"The Texas-based company works as a third-party administrator for insurance carriers like Liberty Bankers Insurance Group (LBIG), which includes American Monumental Life Insurance Company, Pellerin Life Insurance Company, American Benefit Life Insurance Company, Liberty Bankers Life Insurance Company, Continental Mutual Insurance Company, and Capitol Life Insurance Company."

"The breach notification letters note that the first incident occurred on May 13, when an IT team discovered “suspicious activity” that required them to disconnect the affected systems and hire a third-party cybersecurity firm. 

An investigation revealed that “there was unauthorized access to Landmark’s network and data was encrypted and exfiltrated from its system.” The hackers were in Landmark’s systems from May 13 to June 17." (The hackers were in the system for more than one month.)

"Landmark told regulators in Maine that 806,519 people were affected in total but they also filed documents in California and Texas, warning that about 68,000 Texans were impacted.

Insurance companies and their partners or subsidiaries are frequent targets for cyberattacks eager to steal volumes of sensitive health-related data. Last week, insurance firm Globe Life told the U.S. Securities and Exchange Commission that is being extorted by hackers after data on more than 5,000 people was stolen from a subsidiary."

Australia's Medibank Ransomware Attack

 

Australian health insurer Medibank suffered a ransomware attack where the names, dates of birth, addresses, phone numbers and email addresses of 9,7 million customers is -allegedly- leaked. (Quite huge amount of data.)

In this ransomware attack, the victim's files are not encrypted but threatened to be exposed. The ransomware gang began to expose some information in the internet to be more persuasive that they really have the data.

Medibank refused to pay the ransom in order not to encourage such attacks. (Brave but risky decision which I think a correct decision.)

It is believed that the attack is carried on by the ransomware gans REvil or BlogXXX.

And yeah... It is seen one more time that cyber security is not a game or not an abstract concept. On the contrary, cyber threats are real and can have serious effects on our real lives.

https://www.theregister.com/2022/11/07/medibank_breach_n0_ransom_payment/

"Australian health insurer Medibank – which spent October discovering a security incident was worse than it first thought – has announced it will not pay a ransom to attackers that made off with personal info describing nearly ten million customers."

"Medibank also confirmed that primary identity documents, such as drivers licenses, were not accessed for most of its clients – but around 1.8 million international customers weren't so lucky and also had details of the visas that permit them to reside in Australia exposed. The Australian national health scheme (Medicare) ID numbers of 2.8 million customers were also leaked."