Check Point Research has warned of a dramatic escalation in credential theft, with the volume of compromised usernames and passwords in 2025 up 160% compared to last year.
According to the company’s new report, The Rise of Leaked Credentials, the trend is being driven by a combination of high-profile breaches, the growing availability of Malware-as-a-Service, and the use of AI-powered phishing campaigns that enable even low-skilled attackers to harvest logins at scale.
The most notable incident this year – dubbed the “G.O.A.T. of all data breaches” – occurred in June, when a massive cache containing 16 billion login records was exposed online. The data, which included credentials for major platforms such as Facebook, Apple and Google, has significantly increased the attack surface for businesses and individuals alike.
Check Point found that credential theft is now implicated in one in five data breaches, with attackers often exploiting stolen logins without needing to bypass complex technical defences. Once data is exposed, organisations take an average of 94 days to detect and respond – leaving a long window for attackers to infiltrate systems, access sensitive information, or conduct further phishing campaigns.
The report also highlights regional hotspots for credential exposure, with Brazil, India and Vietnam topping the list. The most frequently targeted platforms include Discord, Microsoft Live, Facebook, Google and Roblox – services that combine large user bases with high engagement, making them prime targets for account takeover attempts.
Check Point’s researchers warned that the democratisation of cybercrime tools is lowering the barrier to entry for credential theft. “What used to require sophisticated skills can now be purchased cheaply on the dark web,” the report notes, adding that threat actors are increasingly chaining together phishing, info-stealing malware, and credential stuffing attacks.
The firm urged organisations to adopt proactive monitoring for compromised accounts, accelerate incident response timelines, and implement multi-factor authentication to limit the impact of stolen passwords.
