Researchers revealed what might be the biggest collection of stolen login credentials ever gathered in one location sometime in the middle of 2025. A compiled dataset, organized and searchable, contains about 16 billion records, including usernames, passwords, account details scraped from infostealer malware, phishing operations, and years of accumulated breach archives, covering accounts across Google, Apple, Meta, and dozens of other platforms. There was no significant zero-day exploit. No advanced nation-state assault. Just the patient, quiet harvesting of a system that was based on shared secrets and never sufficiently considered what would happen if those secrets were no longer kept secret. It wasn’t a particularly bad password. It failed gradually at first, then all at once, much like a slow leak eventually floods a basement.
Though they seldom receive the attention they merit outside of security industry reports, the numbers behind that failure have been mounting for years. 22% of all breaches across industries are linked to stolen credentials, according to Verizon’s 2025 Data Breach Investigations Report. That percentage increases to 88% in the case of web application attacks.
| Technology | Passkeys (FIDO2/WebAuthn Standard) |
|---|---|
| Developed By | FIDO Alliance in collaboration with W3C |
| FIDO Alliance CEO | Andrew Shikiar |
| Major Supporters | Google, Apple, Microsoft |
| Standard Type | Public-Key Cryptography (Asymmetric) |
| Largest Credential Breach (2025) | ~16 billion stolen login credentials exposed |
| Stolen Credentials in Breaches | 22% of all breaches (Verizon 2025 DBIR) |
| Average Dark Web Price Per Credential | $10 per set |
| Infostealers Harvested (H1 2025) | 1.8 billion credentials from 5.8 million endpoints |
| Official Reference | fidoalliance.org |
According to SpyCloud’s research for that year, 91% of organizations had experienced an identity-related incident in the previous 12 months, which is almost twice as many as the previous year. In just the first half of 2025, infostealer malware collected 1.8 billion credentials from 5.8 million compromised devices. These are not examples of edge cases. They represent the operational reality of a security model that the industry has been strengthening and patching for thirty years without addressing the underlying issue.
The fundamental issue is structural, and it’s important to put it simply: passwords necessitate sharing the same secret between you and the service you’re logging into. The password is known to you. A copy of it is kept on the server. When the two match, authentication takes place. Because of this architecture, the server’s credential database is always at risk; a successful breach exposes all users at once.
Additionally, at the time of login, the password must travel from your keyboard to the server, creating an interception window that is remarkably effective for phishing attacks. All you need is a phony login page that looks exactly like the real one. Because they think they are speaking with a reliable service, the user voluntarily provides the credentials. After gathering it, the assailant proceeds. By design, this method makes it possible to steal the password. It was never designed to withstand it.
Passkeys approach this in a different way, and their solution is sophisticated enough to be worth comprehending rather than blindly accepting. The technology employs public-key cryptography rather than shared secrets and is based on the FIDO2/WebAuthn standard, which was created by the FIDO Alliance and the W3C. Your device generates two mathematically linked keys when you generate a passkey for a service: a private key that stays on your device and a public key that is stored on the server.
The server poses a challenge that only your private key can successfully complete when you log in. Using the public key it already possesses, the server confirms the response. No secret ever crosses the network. The server never contains anything that an attacker could use if their database were compromised. It is not possible to log in using the public key alone. The private key is what counts, and it remains on your hardware, safeguarded by a device PIN or biometrics like your fingerprint or face.
For years, Andrew Shikiar, executive director and CEO of the FIDO Alliance, has argued that passkeys are an uncommon example of a security enhancement that is both simpler for users and more difficult for attackers. In cybersecurity, where the more typical trade-off goes the other way, that combination is truly uncommon. Accounts are now more secure and logins are more difficult thanks to two-factor authentication. Accounts with complicated password requirements were much more difficult to manage and slightly more difficult to crack. Passkeys require you to press your thumb against a sensor in order to log in, at least in their improved versions. There is no more friction. Security gets better. The cryptographic architecture makes the claim defendable in a way that marketing language typically doesn’t, but it’s possible to be a little skeptical of anything described in those terms.
In 2022, Google, Apple, and Microsoft jointly announced their commitment to passkey support, which was a truly significant indication of the direction the industry was taking. Since then, the change has been gradual rather than abrupt, with passkeys being offered as alternatives during login flows, suggested during account creation, and subtly appearing inside settings menus. It’s likely that the majority of people were asked to make one without fully comprehending what they were consenting to. In some ways, this quiet rollout is precisely how these changes typically occur. The end of the cassette tape was not announced by the CD. It simply kept showing up until the cassette vanished. Observing passkeys proliferate across major platforms gives the impression that the password is currently at a similar turning point: it is still there and still functional, but it is losing ground to something that performs better in ways that are getting harder to ignore.
There are still genuine questions. What happens if the device containing your private key is lost? Restoring via your Google, Apple, or Microsoft account is a workable solution, but it adds dependencies of its own and essentially shifts trust from the service you’re logging into to the platform handling your login credentials. It’s important to think carefully about whether that represents a significant increase in control or just a change in who has the keys. Additionally, it’s unclear how soon the shift will affect the long tail of smaller services, outdated platforms, and less technologically advanced businesses that still require users to select and double-check their passwords. Not all organizations have access to the time and resources needed to build the infrastructure needed to support passkeys.
The direction of travel remains unchanged. The statistics on credential theft alone provide strong evidence that the current system is irreparably flawed. It is not because users selected weak passwords or because businesses neglected to implement rotation policies that sixteen billion stolen passwords have accumulated. The architecture encourages them to accumulate. That architecture is not patched by passkeys. They swap it out. There has previously been an early and somewhat enthusiastic announcement of the password’s demise. This time, the technology that is replacing it has arrived, the major platforms are behind it, and the data that supports the change is harder to refute than it has ever been.
