In June 2025, headlines shouted that 16 billion passwords had leaked. Major outlets warned that credentials for Apple, Google, and other platforms were now exposed. As expected, this triggered a wave of public anxiety and standard advice: change your passwords immediately. Upon closer examination, however, technical sources clarified the situation. This was not a new breach, nor did it expose fresh credentials. The dataset was an aggregation of previously leaked databases, malware logs from infostealers, junk records and millions of duplicate entries. Essentially, it was old material, repackaged and redistributed under a sensational label. For digital forensics teams, however, the question remains open: could this kind of dataset be useful in real-world password recovery? In this article, we will explore if massive password leaks have practical value in the lab.

This article opens a new series dedicated to breaking passwords. It’s no secret that simply getting a good password recovery tool is not enough to successfully break a given password. Brute-force attacks are inefficient for modern formats (e.g. encrypted Office 2013 documents), while using general dictionaries can still be too much for speedy attacks and too little to actually work. In this article, we’ll discuss the first of the two relatively unknown vectors of attack that can potentially break 30 to 70 per cent of real-world passwords in a matter of minutes. The second method will be described in the follow-up article. (more…)