This Massive Data Breach Shows Why We Need to Kill the Password Once and for All
Passwords are a basic food on the Internet and IT in general. Even if new authentication protocols have emerged – Pass with biometrics – most of us use passwords to connect to our daily accounts and websites using a code composed of letters, figures and symbols.
The problem is that the password was really a product of its time and does not really belong to the modern digital age. Cybersecurity threats have evolved so far beyond the capacity of a password to protect them that they have become a passive, even when you follow best practices to create and keep them safe. Example: New from the latest data violation, one of the greatest of all time, in which researchers have not discovered millions, but billion of floating passwords on the web.
Sixteen billion passwords disclosed on the Internet
Cybernews broke the story on Friday: this year, the researchers of the point of sale found 30 sets of data exposed on the Internet, each containing “tens of millions to more than 3.5 billion files”. According to the researchers, they found 16 billion collective passwords disclosed on the web.
In addition, these passwords are all newly disclosed. None of them were reported in the violations of previous data, with the exception of around 180 million passwords found in an unprotected database in May. Researchers say they continue to find new “massive” data sets every few weeks, so discoveries show no signs of slowdown.
According to the researchers, the way the data has been structured strongly suggest the disclosed identification information has been stolen via infosteralists, a type of malware that scratches your devices for this type of information. The bad players were able to obtain the connection details for the main accounts, including Apple, Google, Github, Facebook, Telegram and government services. As Cybernews clearly shows, this does not mean that these companies themselves have undergone data violations; On the contrary, the database contained connection URLs for the connection pages of these companies that have been scratched individual devices, probably using malicious software.
Certain identification information also contained additional data outside of user names and passwords, including cookies and session tokens. This means that this information can be used to bypass two factors (2FA) for certain accounts, especially those that do not reset cookies after changing your password.
If there is a silver lining in this story, it is the fact that the 16 billion disclosed passwords do not represent 16 billion individual records; There is a certain overlap, although it is not clear to what extent: although it is sure to say that less than 16 billion individual accounts have been affected by these violations, it is also difficult to know the exact number.
What can bad actors do with this data?
First and foremost, if your accounts are only protected by a password and you have not changed your password recently, a bad actor could use this password database disclosed to access your account.
But the implications go beyond that. As previously indicated, disclosed cookies and session tokens could be used to break with accounts with the lower 2FA. If your account does not reset cookies after changing your password, it may be able to deceive the 2FA system by thinking that it has provided the appropriate code 2FA or identification information. They can also use this information in phishing patterns: hackers can use your password to trigger a generation of 2FA code. When the code arrives on your side, it can try to encourage you to put it back, pretending to be the company behind the account in question. If and when you send the code, they will access your account.
Why it’s time to stop using passwords completely
This level of sophisticated (and routine) data violation was simply not one thing when the password has become popular as the main digital security tool. For years, technology and cybersecurity experts have preached the importance of using a combination of strong and unique passwords, password management tools and 2FA to ensure the safety of your accounts. These are all still important today, but when malicious software exists which can scratch your identification information directly from your devices, these tactics no longer seem to test the balls.
The fact is that a security system is based on something that can be stolen is not a secure system in 2025. Things have to change – and fortunately, they are.
Pass keys are much more secure
In the future, it is time to take the touches of Pass much more seriously. Passkeys, unlike passwords, does not risk theft, and bad players cannot encourage you to send them your passing touch. Technology is linked to a device that you personally have, such as a smartphone, and locked behind high authentication. Without facial scan, fingerprint scan or spindle entrance on said personal device, no one gets into your account.
What do you think so far?
Passkeys combines with the best parts of the two passwords and 2FA: they are practical, because you quickly authenticate with your smartphone (like automatic with a password manager), but they also require that this personal device be in your possession to access the account, similar to how you need a secondary authentication method to connect with 2FA.
More and more companies are starting to adopt Passkeys as a form of authentication, including Apple, Google, Facebook, Microsoft and X. If one of your accounts takes care of Passkeys, I strongly suggest you configure them. In this way, when the next inevitable data violation occurs, you will be protected.
What to do for accounts that do not accept Pass keys
Of course, not all accounts cannot use Passkeys at the moment. In these cases, you will need to consolidate your password safety as best you can.
First of all, make sure that each of your accounts has a solid and unique password. This means something that cannot be easily guessed by a human or a computer, as well as something that you have not used for any other account before. Although you don’t need to change your passwords as often as traditional security advice have suggested, given the news, you may want to update your passwords, in case.
It is impossible to remember all these strong and unique passwords, where there is a good password manager. Some of these services are also delivered with other tools, such as the generation of Authenticator code, so they are well worth the investment. PCMAG has a list of the best password managers for 2025, if you are looking for recommendations tested by hand.
Speaking of authenticators, configure 2FA for each account that supports it – which, for the moment, should be most of them. Although Passkeys is the strongest form of authentication, 2FA always strengthens your safety in the event of your password leak. Without the code or an authenticist tool, such as a safety key, bad players will not be able to access your account, even with your password.
Finally, with more websites and companies adding a support for Passkeys all the time (including, earlier this week, Facebook), continue to look at your accounts for the option and make the change as soon as you can. Stay safe there.
