This Massive Data Breach Shows Why We Need to Kill the Password Once and for All

Passwords are a staple of both the internet and computing at large. Even as new authentication protocols have emerged—from passkeys to biometrics—most of us use passwords to log into our daily accounts and websites using a code made up of letters, numbers, and symbols.

The problem is, the password was really a product of its time, and doesn't really belong in the modern digital age. Cybersecurity threats have evolved so far beyond the capability of a password to protect from them that they have actually become a liability—even when you follow best practices for creating them and keeping them secure. Case in point: News of the latest data breach, one of the largest ever, in which researchers discovered not millions, but billions of passwords floating around on the web.

Sixteen billion passwords leaked on the internet

Cybernews broke the story Friday: This year, the outlet's researchers found 30 datasets exposed on the internet, each containing anywhere from "tens of millions to over 3.5 billion records." According to the researchers, they've found a collective 16 billion passwords leaked on the web.

What's more, these passwords are all newly leaked. None of them have been reported in previous data breaches, save for roughly 180 million passwords found in an unprotected database back in May. The researchers say they continue find new "massive" datasets every few weeks, so the discoveries show no signs of slowing.

According to researchers, the way the data was structured strongly suggests the leaked credentials were stolen via infostealers, a type of malware that scrapes your devices for just this type of information. Bad actors were able to obtain the login details for major accounts, including Apple, Google, GitHub, Facebook, Telegram, and government services. As Cybernews makes clear, this doesn't mean those companies suffered data breaches themselves; rather, the database contained login URLs for these companies' login pages that were scraped from individual devices, likely using malware.

Some credentials also contained additional data aside from usernames and passwords, including cookies and session tokens. That means it's possible that this information could be used to bypass two-factor authentication (2FA) for certain accounts, especially those that do not reset cookies after you change your password.

If there's a silver lining in this story, it's the fact that the 16 billion passwords leaked do not represent 16 billion individual records; there is some overlap, though it's not clear how much: While it's safe to say that fewer than 16 billion individual accounts were affected by these breaches, it's also tough to know the exact number.

What can bad actors do with this data?

First and foremost, if your accounts are only protected by a password, and you haven't changed your password recently, a bad actor could use this leaked password database to access your account.

But the implications go beyond that. As previously stated, leaked cookies and session tokens could be used to break into accounts with weaker 2FA. If your account doesn't reset cookies after you change your password, they might be able to trick the 2FA system into thinking they've provided the proper 2FA code or credential. They can also use this information in phishing schemes: Hackers can use your password to trigger a 2FA code generation. When the code arrives on your end, they can try to trick you into handing it over, potentially posing as the company behind the account in question. If and when you send the code, they'll gain access your account.

Why it's time to stop using passwords altogether

This level of sophisticated (and routine) data breach just wasn't a thing back when the password came into popular use as the primary digital security tool. For years, experts in tech and cybersecurity have preached the importance of using a combination of strong and unique passwords, password manager tools, and 2FA to keep your accounts safe and secure. Those are all still important today, but when malware exists that can scrape your credentials directly from your devices, those tactics don't seem so bulletproof anymore.

The fact is, a security system that relies on something that can be stolen isn't a secure system in 2025. Things need to change—and luckily, they are.

Passkeys are much more secure

Going forward, it's time to take passkeys much more seriously. Passkeys, unlike passwords, are not at risk of theft, nor can bad actors trick you into sending your passkey to them. The tech is tied to a device you personally own, like a smartphone, and locked behind strong authentication. Without a face scan, fingerprint scan, or PIN entry on said personal device, no one is getting into your account.

Passkeys combine with the best parts of both passwords and 2FA: They're convenient, since you quickly authenticate yourself with your smartphone (like autofilling with a password manager), but they also require that personal device to be in your posession to access the account, similar to how you need a secondary authentication method to log in with 2FA.

More and more companies are starting to adopt passkeys as a form of authentication, including Apple, Google, Facebook, Microsoft, and X. If any of your accounts support passkeys, I strongly suggest you set them up. That way, when the next inevitable data breach does occur, you'll be protected.

What to do for accounts that don't accept passkeys

Of course, not all accounts can use passkeys right now. In those cases, you'll need to shore up your password security as best you can.

First, make sure each of your accounts has a password that is strong and unique. That means something that cannot be easily guessed by either a human or a computer, as well as something you haven't used for any other account before. While you don't need to change your passwords as frequently as traditional security advice has suggested, given the news, you might want to refresh your passwords, just in case.

It's impossible to remember all those strong and unique passwords, which is where a good password manager comes in. These services use strong encryption to protect your database of passwords—all you need to remember is the one strong and unique password you use to access the password manager, and the app can remember the rest. Some of these services come with other tools as well, like authenticator code generation, so they're well worth the investment. PCMag has a list of the best password managers for 2025, if you're looking for hand-tested recommendations.

Speaking of authenticators, set up 2FA for every account that supports it—which, at this time, should be most of them. While passkeys are the strongest form of authentication, 2FA still beefs up your security in the event your password is leaked. Without the code or an authenticator tool, like a security key, bad actors won't be able to access your account, even with your password in hand.

Finally, with more websites and companies adding support for passkeys all the time (including, earlier this week, Facebook), keep watching your accounts for the option, and make the switch as soon as you can. Stay safe out there.