What would you do if you woke up to chaos? Your accounts emptied, identity stolen, and online life hijacked. With identity based attacks, you won’t get a polite message from scammers saying, “Your password has been pwned.”
Pwned: What it means and why you should care
The word “pwned” has a compelling origin. In gaming lore, there are two stories that are widely cited, but neither can be definitively confirmed.
In the first, the word came about when a map designer for Warcraft III typed “pwned” instead of “owned” in a game message. For avid gamers, the phrase “You’ve been owned” means you’ve been completely defeated or dominated.
The second story says the word “pwned” took off when an online player accidentally typed “pwned” instead of “owned.” Over time, the hacker community adopted the word, using it to describe situations when an account or system had been compromised. Today, “pwned” is synonymous with being hacked or having your data exposed.
While services like Have I Been Pwned are great for spotting breaches, being proactive about data security is critical. It can mean the difference between keeping your way of life and losing everything.
Below, we pull back the curtain on how passwords are getting cracked in 2025 and how LastPass can be your first line of defense against waking up to disaster.
Why your passwords are already compromised (despite your best efforts)
Billions of credentials are up for grabs – could yours be next?
So, the coffee’s on and the smell of breakfast is in the air.
You’re scrolling through your feed before the headline screams at you, “Data leak exposes 184 million passwords.” You may think, "I change my passwords. I should be ok.”
But here’s the shocking truth: While everyone is talking about the 184 million leak, security researchers have just uncovered something much bigger: a collection of 30 massive datasets containing 16 billion credentials in total.
The 184 million figure? It's just ONE of the many datasets and the ONLY one previously reported. The other 29 are newly discovered and appear to contain fresh data, rather than previously recycled credentials.
Many have been harvested with infostealers like the notorious Lumma, the focus of a global law enforcement takedown in May 2025.
If you’re someone who changes your passwords regularly, you’re already doing more than most to protect your data. It's a smart move, but even with your proactive habits, you aren’t 100% safe if you do these two things:
1. Reuse your passwords across multiple sites
2. Make only minor but predictable modifications – like adding a special character or swapping a letter for a symbol – when updating passwords
So, what’s the solution? Stay with us as we talk about what works, even as new threats like “SneakThief” infostealers target credentials in both browser and cloud-based storage.
How hackers are cracking passwords in minutes – why complexity is only part of the solution
First, what are “SneakThief” infostealers?
According to Picus Security’s 2025 Red Report, there’s been a 3X increase in infostealers targeting both browser and cloud-based credentials.
In a nutshell, Picus Security researchers coined the term “SneakThief” to highlight credential harvesting malware strains that are highly evasive, persistent, and capable of executing multi-stage attacks. This means they can work quietly in the background without raising alarms.
The recently disrupted Lumma infostealer is one such example.
And that’s not all. Here are two (2) more ways hackers are cracking passwords faster than ever in 2025:
- AI and high-end GPUs: AI tools like PassGAN can guess passwords by learning from real password leaks, while high-end GPUs can try billions of combinations per second. So, even if you regularly update credentials, your accounts are still at risk if you use simple passwords based on predictable patterns.
- Acoustic side channel attacks: If your accounts are only protected with passwords, you could be vulnerable to an Ai-powered acoustic side-channel attack.
Here's how it works: When hackers record the sounds of you typing, they get an audio file of clicks. To figure out what keys were pressed, they use a convolutional neural network (CNN), a type of AI that turns the audio file into what’s called a spectrogram (a visual graph).
The hacker trains the CNN on keystroke sounds that correspond to individual keys. So, when it gets the audio file, the CNN looks at the spectrogram to guess which keys were pressed.
The more examples it learns from, the more it can guess your passwords just by listening to you type. This puts your security and privacy at risk, even if you practice meticulous password hygiene.
Password myths that threaten your security and peace of mind
The 5 common mistakes most people make when creating passwords: How many do you recognize?
Does anyone have time for passwords today?
With rising geopolitical tensions and social instability, stress levels are at an all-time high. Recent studies reveal that 40% of people have hit their limit, with 83% saying adulthood is more challenging now than a decade ago.
Let’s face it: most of us are cutting corners when it comes to passwords. We tell ourselves we’re safe. But the truth is, scammers are counting on us to make these mistakes: How many do you recognize in your own life?
1. Reusing passwords: Using the same password for multiple accounts is like using the same key for your front door, home safe deposit box, and garage. If someone gets your key, they get total access. It’s like handing over a master key to your entire life.
2. Using simple passwords: Are you using “password123” or “iloveyou123”? Hackers love these. According to a 2025 Cybernews study on 19 billion leaked passwords, 94% of passwords are reused worldwide. And there’s more bad news: Many of them are made up of lazy sequences like “1234” (727million+ passwords) and “123456” (338 million+ passwords).
3.Ignoring length and complexity: Short, simple passwords are easy for hackers to crack. To create the most robust passwords, follow CISA and NIST’s newest guidelines, which recommend at least 15 characters and a combination of upper and lowercase letters, numbers, and symbols.
4. Forgetting to update after a known security incident: Have you been using the same password for Facebook since 2010? If so, it’s probably time for a change.
Although the most recent leak of 30 datasets (16 billion credentials) contains fresh material, one dataset (184 million credentials) contains passwords from previous leaks. Many of these have been put up for sale on the Dark Web.
Yet, research shows that more than 70% of users continue to use already-leaked passwords on other platforms one (1) year after a leakage. And 40% continue to use the same passwords leaked more than three (3) years ago.
If you prefer to stick with original passwords, either because you’re a creature of habit or are anxious about forgetting login details, you aren’t alone. But after a security leak, changing your passwords is like changing a lock after losing the key. It's a small step that makes a big difference for your peace of mind.
5. Sharing passwords insecurely: Do you regularly share passwords on Post-it notes or text messages? If so, you’ll never know how many copies are out there or who has access to them.
But what if my password manager gets hacked? 4 ways LastPass helps you stay ahead: Your path to digital freedom
Do any of these sound familiar?
My password manager is a little black/green/red book I keep next to my bedstand.
I use “password”, but I spell it with 2s to fool hackers.
I use an encrypted file stored on my computer. Yes, I know I can’t access this from my phone when I’m away from my desk, but I think it’s worth it.
You aren’t alone if you’ve ever worried about a password manager being your weakest link. But here’s the reality: A YouGov poll reports that although 65% of people don’t trust password managers, 60% who don’t use them have experienced a data leak that led to damaged credit scores, drained bank accounts, and identity theft.
And with a cyber-attack occurring every 39 seconds (that’s 2,244 attacks a day) plus over 16 billion passwords already compromised, you can’t afford to take chances.
But wait: what about modifications like substituting letters for symbols or numbers? Unfortunately, these “leetspeak substitutions” are easily deciphered by modern password cracking tools.
Here’s the straight truth: no password manager is 100% foolproof nor can it guarantee absolute immunity from attacks.
But with continued vigilance and layered security (a strong master password + advanced MFA + secure autofill + Dark Web Monitoring), you’re adopting a security posture that’s miles ahead of the average user.
The LastPass password generator: Creating strong, unbreakable passwords for every account
Imagine a world where every single one of your accounts is locked down tight. With the LastPass password generator, you can customize your passwords according to NIST and CISA recommendations: at least 15 characters + combining upper and lowercase letters, symbols, and special characters.
Our generator can do the work of creating AND remembering complex passwords for you, so logins are lightning fast, effortless, and secure every single time.
And best of all, automatic device sync means any items saved to your digital vault are automatically synced across all your LastPass-connected devices. Never be without access again, no matter where you go and what you do.
Real-time Dark Web Monitoring: Keeping you safe while you sleep
While you’re catching up on sleep, scammers are busy trading your stolen credentials on the Dark Web. With our premier Dark Web Monitoring service, you get real-time alerts if your passwords are compromised, allowing you to act before scammers do.
LastPass autofill: Preventing keyloggers from harvesting your login credentials
As mentioned above, the simple act of typing your passwords involves great risk. With the rise of infostealers (many with keylogging capabilities) and acoustic side channel attacks, your passwords are only as safe as the next tap or click. With LastPass secure autofill, your passwords are never exposed.
Best of all, LastPass will only autofill your credentials on legitimate sites ONLY, ensuring that your credentials are never entered on phishing sites.
The next-gen vault: Why hackers hate FIDO2 MFA
Did you know that 99.99% of compromised accounts didn’t have MFA enabled? Yet, it’s the single most effective way to repel an attack. Even if scammers manage to harvest your login info, it’s nearly impossible to access your hardware key or passkey. FIDO2 MFA like YubiKey or LastPass passkeys makes your vault a digital fortress, so your data stays yours and yours only.
If you’re worried about the next high-profile attack, don’t wait. Upgrade your security today with a free trial of LastPass Premium and experience the peace of mind enjoyed by millions of satisfied LastPass customers (no credit card required).
- Access passwords anywhere, anytime
- Generate unique, strong passwords
- Autofill and share with one click
- Backed by expert threat intelligence
Subscribe for the latest from LastPass blog
By subscribing, you agree to receive marketing communications regarding industry news and research, educational resources, and LastPass products and services. The processing of your personal data in accordance with the LastPass Privacy Policy. You can unsubscribe from marketing communications at any time.
