Morning Overview

Researchers found 24 billion stolen passwords sitting in one exposed database

Anyone who reuses passwords across multiple accounts now faces sharply higher odds of being targeted by automated credential-stuffing attacks. Research published by Digital Shadows found more than 24 billion username and password combinations circulating in cybercriminal marketplaces, a 65 percent increase in just two years. After removing duplicates, the firm identified 6.7 billion unique credentials still available for purchase or trade. The sheer volume of stolen login data, concentrated in accessible dark-web listings, has turned password reuse from a bad habit into an active liability for individuals and organizations alike.

Why 24 billion stolen credentials represent a new scale of risk

The raw count is staggering on its own, but the real danger sits in what happens after duplicates are stripped away. Digital Shadows found 6.7 billion unique credentials among the 24 billion total pairs, according to a press announcement. That distinction matters because each unique pair represents a distinct account that can be tested against banking portals, corporate VPNs, email services, and cloud platforms. Attackers do not need to crack every password individually. They buy curated lists, load them into automated tools, and let software try each combination across dozens of popular services in minutes.

A 65 percent jump in two years suggests that the supply of stolen credentials is growing far faster than most companies rotate passwords or deploy additional authentication layers. When a single marketplace listing can offer billions of working logins, the economics shift decisively in favor of attackers. Credential-stuffing campaigns become cheap to run and profitable at scale, even if only a small fraction of the tested pairs still work. For security teams, the math is brutal: defending against billions of possible login attempts requires detection systems that most mid-size businesses have not yet adopted.

One hypothesis worth examining is whether these 24 billion pairs trace back to a handful of large enterprise breaches whose stolen data was later combined into one aggregated listing. The concentration of credentials in a small number of dark-web marketplaces supports that reading. Massive breaches at major platforms tend to produce hundreds of millions of records each, and criminal operators routinely merge, deduplicate, and repackage those datasets for resale. The result is a supply chain where a few upstream compromises feed an enormous downstream market, making the problem look decentralized when it may actually stem from a limited set of high-volume incidents.

At the same time, the steady drumbeat of smaller incidents-compromised web forums, exposed databases from niche apps, and phishing campaigns targeting specific companies-likely contributes a substantial share of the total. Even modest breaches can yield tens or hundreds of thousands of credentials. Over months and years, those smaller leaks accumulate into the kind of massive inventory now visible on underground markets. Whether the current stockpile is driven more by headline-making hacks or by countless minor exposures, the outcome for users is the same: a rapidly expanding pool of logins that can be tried against any service that still accepts simple passwords.

Digital Shadows research and the 6.7 billion unique pairs

The findings come from research conducted by Digital Shadows, a threat intelligence firm that monitors criminal forums, paste sites, and dark-web marketplaces for exposed credentials. The firm’s summary, distributed through PR Newswire channels, documented more than 24 billion username and password combinations available across these underground sources. By running deduplication processes against the full dataset, researchers isolated 6.7 billion pairs that were not simple repeats of the same stolen record appearing on multiple sites.

The 65 percent growth figure over two years is significant because it outpaces the rate at which organizations are adopting stronger defenses. Multi-factor authentication, password managers, and passkey-based logins have all gained traction, but adoption remains uneven. Many consumer-facing services still allow password-only access, and employees at smaller firms often lack enterprise-grade credential monitoring. The gap between the speed of credential accumulation and the speed of defensive rollout is widening, not narrowing.

Digital Shadows did not publicly release the raw dataset or name specific breaches that contributed the largest share of records. That limits independent verification of the exact composition of the 24 billion pairs. Still, the scale aligns with what other threat intelligence firms have reported about the size of credential dumps traded on underground forums. The growth trend, rather than any single snapshot, is what security professionals are watching most closely. A 65 percent increase in two years implies that the next measurement could show an even larger pool unless breach frequency or password reuse rates decline sharply.

Without granular disclosure, some methodological questions remain. It is unclear how the researchers handled credentials that appeared with minor formatting differences, such as capitalization changes or added whitespace, or how they treated passwords that had been partially redacted in public leaks. The study also does not specify how many of the identified accounts had already been closed or forced to reset their passwords. Those unknowns do not negate the central finding, but they do affect how precisely defenders can gauge the fraction of still-active logins embedded in the 6.7 billion unique pairs.

Gaps in the evidence and what users should do first

Several questions remain open. The Digital Shadows research was distributed as a press summary, and no full technical methodology or detailed report has been made publicly available for independent review; the press distribution infrastructure, accessible via a publisher login, does not include the underlying dataset. Without access to that data, outside researchers cannot confirm how the firm defined “unique” credentials, whether the deduplication process accounted for slight variations in formatting, or how many of the 6.7 billion pairs remain active versus expired. No law enforcement agency has independently confirmed the 65 percent growth figure or identified the specific marketplaces involved.

The absence of named breaches also makes it difficult to test the aggregation hypothesis directly. If a small number of large-scale compromises account for most of the volume, targeted remediation at those organizations could meaningfully shrink the pool of usable credentials. If the growth instead reflects thousands of smaller breaches, the problem is more diffuse and harder to address through any single intervention. Without granular data, both explanations remain plausible, and defenders must plan for a world in which any reused password may already be in circulation.

For anyone reading this with a password they have used on more than one site, the practical first step is straightforward: change those shared passwords immediately, starting with email and financial accounts, because those two categories are the linchpins of most people’s digital lives. Email inboxes can be used to reset access to other services, and bank or payment accounts offer direct financial incentives to attackers. Once those are secured with unique, strong passwords, work through other high-value logins such as cloud storage, social media, and any accounts tied to employment.

Using a password manager can make this process manageable. Instead of trying to memorize dozens of complex strings, users can generate and store unique passwords for every site. Turning on multi-factor authentication wherever it is offered adds another barrier, forcing attackers to supply a second proof of identity even if they guess or purchase the correct password. While no single measure can erase the risk created by 24 billion exposed credentials, a combination of unique passwords, additional authentication factors, and regular account reviews can dramatically reduce the chances that a stolen login will still work when attackers try it.

More from Morning Overview

*This article was researched with the help of AI, with human editors creating the final content.