Stop Using Your Password — 800 Million Stolen Passwords Listed Online (2025)

Table of Contents
Has Your Password Been Compromised? For Millions The Answer Is Yes New Gmail Warning — Do Not Open This Email From Google Bitcoin Braced For ‘Apocalyptic’ Price Shock After White House Confirms Fed Bombshell Google Confirms Gmail Warning—3 Billion Users Must Now Act You Can Fight Back By Not Using Your Password What Is A Passkey And Why Is It Better Than Your Password?

Update, April 19, 2025: This story, originally published April 18, has been updated with technical information regarding passkeys and their security advantages in light of the latest reports of compromised passwords being listed online.

That passwords have reached their collective sell-by date is not new news. You only have to look at the growing threat from millions of devices infected by infostealer malware, threat actors employing automatic password hacking machines in attacks, and zero-day exploits specifically targeting Windows passwords, for proof of that. Here’s the thing, even with two-factor authentication added to the login credentials mix, you are still not safe. 2FA bypass attacks, employing attacker-in-the middle and session cookie stealing tactics, weaken even that defense. As if that all wasn’t worrying enough, I’m sorry to report that your password could already be compromised and available to hackers. Here’s what you need to know, why you need to act now, and what action must be taken.

ForbesYou Have 16 Days To Comply — New Rules Impact 500 Million Outlook UsersBy Davey Winder

Has Your Password Been Compromised? For Millions The Answer Is Yes

Hackers don’t break in, they log in. This, I’m sad to say, has increasingly become the reality for threat actors today. After all, why go to the trouble of finding vulnerabilities to exploit or using complex attack methodologies when there are readily available lists of compromised credentials out there to purchase? Heck, many of these lists are even available to download for free from criminal forums online.

The culprit? The rise of infostealer malware. According to the latest IBM X-Force Threat Intelligence Index, published April 17, there has been an 84% increase in the number of infostealers being delivered by phishing emails per week. As well as the phishing tactics, X-Force analysts said that other increasingly popular attack vectors include “SEO poisoning and Google Ads, drive-by attacks, and software supply chain compromises.”

Early data for 2025, the X-Force report warned, has revealed an increase of 180% in the infostealer delivery threat compared to 2023. “This upward trend fueling follow-on account takeovers,” it stated, “may be attributed to attackers leveraging AI to create phishing emails at scale.’

What’s more, these are not just idle threats, for want of a better term. They are incredibly effective. In 2024, the X-Force report confirmed that some eight million adverts on the dark web and in criminal forums, each containing lists of hundreds of stolen credentials, were found in relation to the top five infostealer malware threats. That’s at least 800 million passwords, likely more, listed online and represents just the tip of this nefarious cyber-iceberg.

ForbesNew Gmail Warning — Do Not Open This Email From GoogleBy Davey Winder

You Can Fight Back By Not Using Your Password

With the same threat actors that are distributing these lists of stolen passwords also selling custom adversary-in-the-middle attack services to bypass 2FA protections, according to the X-Force researchers, there is little doubt that you need to take action, and take it now. The good news is that it’s pretty easy to protect yourself against both threats, and highly effective once that protection is in place. Better still, you get increased protection against criminal hackers while, at the same time, getting a more straightforward method of securely signing in to your accounts. It really is a win-win situation.

So, what is the solution: stop using passwords, use passkeys instead.

A Google spokesperson told me that its internal research has revealed “security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication.” The same message can be heard in the advice that a Microsoft spokesperson provided. “We recommend switching to Passkeys wherever possible and using authentication apps such as Microsoft Authenticator, which warn users about potential phishing attempts.”

ForbesGoodbye Windows Hello — Microsoft Update Kills Biometric LoginBy Davey Winder

What Is A Passkey And Why Is It Better Than Your Password?

Passkeys were launched originally as part of an initiative by Apple, Google and Microsoft to effectively consumerize solid enterprise security authentication standards such as FIDO and WebAuthn. 1Password's chief product officer, Steve Won, explained to me exactly how passkeys work and how they are more secure than a password. “Every passkey is made up of two keys—a unique public key, which is created and stored on that company’s server, and a private key, which is stored on the user’s device.” The public key is used to create a challenge that can only be solved by the private key. “Because of this,” Won said, “passkeys are nearly impossible for hackers to guess or intercept because the keys are randomly generated and never shared during the sign-in process.”

The bullet-point TL;DR when it comes to passkey security is as follows:

  • Passkeys are strong by default, and they can not be guessed by hackers because of their innate complexity.
  • Passkeys are both phishing and social-engineering resistant, meaning that hackers can’t steal and use your credentials if there are no credentials to steal in the first place.
  • A passkey private key never leaves your device.
  • Passkeys are effortless to create and use, automatically-generated with no room for human error and nothing to remember. They also provide a very familiar experience as users can authorize use of their passkeys to unlock any service with biometrics.

If you still need to be convinced, visit Passkeys.io, where you can try a very simple passkey demonstration and see for yourself just how easy they are to use.

And if you are concerned that losing your smartphone, or whatever device these passkeys are created and stored upon, means you lose all access, whereas a password can be reset, don’t panic. Although a passkey is created on one device in your ecosystem, it gets synced across all others and is tied to your account rather than any single lost device. If you need to recover a passkey then you simply sign into your passkey provider, say Apple’s iCloud Keychain or 1Password, for example, and recover it on another of your devices.

ForbesNew Gmail And Microsoft 2FA Security WarningBy Davey Winder

Stop Using Your Password — 800 Million Stolen Passwords Listed Online (2025)
Top Articles
Red Sox reactions: Garrett Crochet’s bid for history falls short but Boston escapes with win
A wind project is stalled in New York. Experts worry about impacts across the U.S.
IoT in 2025: Digital twins, mesh networks, VR, and more
Latest Posts
The best iPads of 2025 for reading, drawing, streaming, working
Upgrade your iPad with this impressive Apple Magic Keyboard deal
Recommended Articles
Article information

Author: Cheryll Lueilwitz

Last Updated:

Views: 5923

Rating: 4.3 / 5 (74 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Cheryll Lueilwitz

Birthday: 1997-12-23

Address: 4653 O'Kon Hill, Lake Juanstad, AR 65469

Phone: +494124489301

Job: Marketing Representative

Hobby: Reading, Ice skating, Foraging, BASE jumping, Hiking, Skateboarding, Kayaking

Introduction: My name is Cheryll Lueilwitz, I am a sparkling, clean, super, lucky, joyous, outstanding, lucky person who loves writing and wants to share my knowledge and understanding with you.