Table of Contents
—
From a 16 billion credential leak to an embarrassing misconfiguration at McDonald’s, poor password habits continue to leave individuals and organisations dangerously exposed.
Cyberattacks make headlines with such regularity that the details can begin to blur. Behind a striking number of them, however, sits the same unglamorous root cause: passwords that are too simple, too widely reused, or too carelessly handled.
The scale of the problem is difficult to overstate. Research cited by Heimdal Security suggests that 94 percent of passwords are used across multiple accounts, while just three percent meet basic complexity standards. Brute-force attacks – in which automated systems work through lists of common passwords until one succeeds – now account for 37 percent of cyber breaches.
Danny Mitchell, a cybersecurity writer at Heimdal Security, says the persistence of weak passwords reflects a practical reality as much as a security failure. “The average person has over 160 accounts,” he said. “Remembering strong, unique passwords for all of them is nearly impossible, so users fall back on simple, predictable combinations. Hackers don’t need advanced tools anymore – they just automate password attempts using bots, which try the same common passwords that people keep recycling.”
Below, Mitchell examines four cases that illustrate what poor password practices can cost.
1. The 16 Billion Password Mega-Leak (2025)
In June 2025, a data dump described as one of the largest in history aggregated stolen credentials from dozens of previous breaches into a single repository of approximately 16 billion passwords. While many were recycled from earlier incidents, millions were newly exposed. Analysis of the dataset revealed that “admin” and “password” appeared tens of millions of times.
The consequences were swift and commercial. Credentials flooded dark web marketplaces, with access to social media, email, and financial accounts selling for as little as ten dollars. The episode laid bare how extensively password reuse has normalised the recycling of compromised credentials across platforms.
2. McDonald’s Monopoly VIP Campaign Mishap (2025)
A more contained but equally instructive incident occurred during McDonald’s UK Monopoly VIP promotional campaign in 2025, when an administrative error resulted in database usernames and passwords being sent by email to prize winners. The credentials covered both staging and production servers. While a firewall protected the production environment, some recipients were able to access the staging server before the error was identified and corrected.
“Even global brands can slip up when it comes to basic digital hygiene,” Mitchell said. “A single misconfiguration or forgotten password rule can put entire networks at risk.” McDonald’s moved quickly to change the exposed credentials and issued a public apology. The episode was ultimately a near miss – but it demonstrated how quickly a simple procedural failure can travel.
3. The Louvre’s CCTV Password
A detail from a 2014 security audit of the Louvre resurfaced in 2025 following a high-profile jewel theft at the museum. The audit had recorded that the institution’s CCTV network was protected by the password “LOUVRE.” Though the theft itself was carried out by conventional means rather than through any digital intrusion, the revelation prompted considerable embarrassment and reignited debate about password standards in high-security institutions.
“Weak passwords might not always be the weapon, but they’re an open door,” Mitchell said. “If your digital security looks lazy, criminals assume your physical defences are too.”
4. Yahoo’s Billion-Dollar Breach (2013–2016)
The most financially consequential case on Mitchell’s list predates the others by several years but remains one of the most instructive. Between 2013 and 2016, Yahoo suffered a series of intrusions that ultimately compromised three billion user accounts – names, phone numbers, dates of birth, security questions, and associated credentials among the exposed data.
The damage was compounded by Yahoo’s delay in disclosing the breaches. By the time the full scale became public during Verizon’s 2017 acquisition of the company, the fallout included $35 million in regulatory fines and 41 class-action lawsuits.
“Transparency, speed, and strong password encryption could have prevented years of fallout that tarnished Yahoo’s reputation,” Mitchell said. “It proved that password negligence can alter the fate of entire companies.”
The Passwords Still in Widespread Use
Despite years of public guidance, certain passwords remain remarkably persistent. According to NordPass data, the most common passwords used in corporate environments closely mirror those used in personal accounts – a finding that suggests employees are routinely accessing sensitive business systems with credentials that automated systems can crack in under a second.
The ten most frequently encountered weak passwords in 2025, according to Mitchell, are: 123456, 123456789, 12345678, password, qwerty123, qwerty1, 111111, 12345, secret, and 123123. All are short, lack special characters, and appear on every standard brute-force list.
What Individuals and Organisations Should Do
Mitchell’s recommendations are practical and consistent with established cybersecurity guidance. A password manager removes the cognitive burden of generating and remembering strong, unique credentials for each account, and eliminates the temptation to reuse passwords across platforms.
Two-factor authentication adds a second barrier that remains effective even if a password is compromised. Regularly checking whether credentials have appeared in known leaked databases – services such as Have I Been Pwned allow users to do this – provides an early warning when action is needed.
“Most cyberattacks start with someone making a simple mistake,” Mitchell said. “Passwords are your first and often your only line of defence. The intention to improve them is common; the follow-through is not. Only about a quarter of people who say they will change their passwords after a breach actually do – and that gap is where attackers operate.”
