Key Takeaways
- Attackers log in, not crack: stolen credentials appear in 22% of breaches, 88% of web-app attacks.
- Phishing is the entry point in roughly 15% of breaches, tricking users into typing real passwords.
- Reuse is the weak link: only 49% of an infected user’s passwords are unique.
- Your best defenses: a unique password per account plus two-factor authentication.
The data shows attackers rarely “crack” passwords – they collect, buy, or trick their way to them.
The Story Behind the Numbers
When we picture someone stealing a password, we imagine furious typing and cracked codes. The real data tells a calmer, more unsettling story: most attackers simply log in with credentials someone already leaked or handed over.
Verizon’s 2025 Data Breach Investigations Report examined 12,195 confirmed breaches across 139 countries. Stolen credentials were the single most common way attackers first broke in, showing up in 22% of breaches; in attacks aimed directly at web applications, 88% relied on them. So where do those passwords come from? Three main sources: large data breaches at companies you’ve used, infostealer malware that quietly harvests saved logins from infected devices, and phishing – tricking you into typing your password into a fake page, the entry point in roughly 15% of breaches.
The pattern is hard to miss. Hackers rarely break your password. They collect it, buy it, or fool you into giving it away.
Why This Data is Important
These numbers should change how you protect yourself. If most attacks rely on leaked or reused passwords, your everyday habits matter more than any single product.
Password reuse is the weak link. For the average infected user, the DBIR found only 49% of their passwords were unique – so one leak can unlock many accounts. This feeds “credential stuffing,” where bots test stolen logins across the web; at some sign-in providers, those attempts made up 19% of all login traffic.
Two habits cut your risk sharply: use a different password for every account, and turn on two-factor authentication. On public Wi-Fi, where data can be intercepted, a VPN scrambles your traffic so snoopers can’t read it, while hiding your IP address keeps you harder to trace.
Looking Ahead: Future Outlook
Passwords are slowly being replaced. Passkeys – logins tied to your device instead of a typed secret – are rolling out across major services and resist phishing entirely. Attackers are adapting too: “prompt bombing,” which spams you with login-approval requests until you tap yes, now appears in 14% of incidents. Until passwordless logins go mainstream, unique passwords, two-factor authentication, and a reliable VPN on untrusted networks remain your strongest defense.
Source & Methodology
All figures come from the Verizon 2025 Data Breach Investigations Report, an annual study that analyzed 22,052 real-world security incidents and 12,195 confirmed breaches from 139 countries, with data contributed by law enforcement, forensic firms, and cybersecurity organizations worldwide. Reported percentages reflect breaches where the cause could be confirmed.