Recently, a massive data leak involving more than 16 billion login credentials has gone viral across cyberspace. The incident was first revealed by Cybernews and Forbes.
It has since been classified as a global cybersecurity emergency. Experts say the data is not recycled from older hacks but was collected systematically by an infostealer malware that steals usernames and passwords from infected devices.

This malware silently harvests usernames and passwords from compromised devices, then uploads them to servers controlled by the attackers.

The leak comprises at least 30 separate datasets, each containing tens of millions up to more than 3.5 billion entries.

The leaked data is highly structured, listing the service URL first, followed by the username and password—making it trivial for criminals to exploit.

Popular services such as Apple, Google, Facebook, Telegram, GitHub, and even government platforms are reported as potential targets.

Password security provider Specops revealed the top 10 passwords most commonly used by attackers to exploit Microsoft Remote Desktop Protocol (RDP) connections.

RDP is a convenient method for accessing and controlling PCs and servers remotely, especially for hybrid workers.

But RDP is also a juicy target for cybercriminals seeking access to organizational networks and critical resources.

That is why using strong, complex passwords for remote desktop accounts is essential.

Specops analyzed over 1 billion stolen passwords collected by cybercriminals in 2024. The results show that many people ignore good practices when creating passwords—even for critical systems.

Organizations monitoring their RDP servers have observed hundreds or even thousands of failed login attempts from hackers, bots, ransomware gangs, and others.

Once attackers find an exposed, open RDP port, they use brute-force techniques to try large numbers of username/password combinations to gain access.

The simpler the password, the faster attackers can obtain and exploit access.

Leaked passwords can serve as entry points for thieves to steal identities and credentials for important accounts, including financial services. Don’t let your mobile banking be hijacked and your account drained because of an easily guessed password.

So, which password combinations are easiest for criminals to crack?

At number one is 123456, the most commonly stolen password. This indicates many people still use “keyboard walk” patterns—typing adjacent keys in sequence.

In second place is 1234, chosen by those who won’t bother adding the 5 and 6.

Next is Password1, followed by 12345. In fifth position is P@ssw0rd, showing that some users only add a special character yet remain weak.

P@ssw0rd is popular because it appears to meet the standard eight-character rule: one capital letter, one number, and one special character.

List of Most Commonly Stolen Passwords:

1. 123456

2. 1234

3. Password1

4. 12345

5. P@ssw0rd

6. password

7. Password123

8. Welcome1

9. 12345678

10. Aa123456