Record 16 Billion Password Leak: What the Breach Means for Web3

In June 2025, a record-breaking password breach was publicly reported. Over 16 billion login credentials were exposed for services such as Google, Apple, and Facebook.

On the surface, a massive password breach has little impact on the Web3 space, which relies on blockchain private keys to manage access and digitally sign transactions. However, the reality of modern crypto is that passwords play a critical role in the security of many users.

The biggest password breach in history includes over 16 billion credentials from various major services. However, there is no sign that these organizations were the victims of a cyberattack or data breach.

Instead, the breached passwords appear to be the result of infostealer malware, which commonly attempts to collect credentials from breached devices. Unlike other massive datasets of breached passwords published in the past, this list appears to consist of recent credentials, which haven’t been recycled from past breaches and are more likely to still be valid for the user’s accounts.

Theoretically, a massive leak of passwords should have minimal impact on the security of on-chain accounts. The reason for this is that blockchains don’t use passwords to control access and authorize transactions. Instead, they use private keys, which are randomly generated values tied to a specific blockchain account.

But, this assumes that all blockchain users practice self-custody, where they manage their own private keys via a software or hardware wallet. However, crypto custody is common, with users entrusting their private keys to a service provider who manages the work of private key security and digitally signing transactions.

The crypto custody model brings passwords back into the equation. Passwords for a user’s custody provider can be used to access private keys or sign malicious transactions, allowing an attacker to steal crypto or abuse the permissions assigned to a privileged blockchain account.

For a minority of Web3 users, there’s the potential that a breached password offers direct access to an on-chain account. However, there are also numerous indirect ways that attackers could leverage this breach to steal crypto or abuse privileged accounts.

One likely impact of the breached password dataset is the potential for account takeover due to password reuse. While passwords should be unique for every online account, many people reuse passwords across multiple accounts.

If a password is reused between the breached dataset and a user’s custody account, attackers will likely exploit this via a credential stuffing attack. This would allow the attacker to take over the account and perform transactions on the user’s behalf.

One notable feature of the password breach is the fact that it didn’t involve a breach of the various service providers. Instead, the dataset was likely compiled using infostealer malware.

This is significant because it means that a custody provider didn’t need to be breached for custody passwords to be included in the breached dataset. Infostealer malware commonly attempts to steal all credentials that are present on an infected computer, regardless of the associated service. If blockchain users who use a custody service were some of the victims of the infostealers used to build this dataset, then their custody passwords may be included and available to attackers.

Password-based authentication systems rely on the assumption that a user will know their password, which doesn’t always work out. For this reason, most online services offer an option to perform password resets via a verified email address.

This breached dataset includes passwords from services, such as Google, a major email provider. If a user’s Gmail password is included in the dataset, there is the potential that an attacker could access their email account. If so, they could trigger a password reset from their custody provider and change the password to something known to the attacker.

Many online services offer login using social media accounts. While some custody providers, like Coinbase, disallow this for security reasons, other Web3 services may permit it to make their services more accessible to Web2 users.

Similar to the threat of malicious password resets, this practice introduces potential security risks if a user’s social media account was included in the breach. If so, an attacker who could gain access to the social media account may be able to pivot to access other significant accounts, including Web3 accounts.

Many of the potential risks outlined above may be mitigated if multi-factor authentication (MFA) is enabled for Web3 accounts. Also, it’s possible that a user isn’t directly impacted by the breach or that leaked passwords don’t provide direct access to a Web3 account.

However, there is the potential that the breached passwords could open up avenues for social engineering attacks. 

Some possibilities include:

• Attempting to log in using a breached account and tricking or annoying the user into providing the MFA code

• Using a breached email account to send phishing emails to another party

• Using leaked information to social engineer customer support at a Web3 project

This password breach is the biggest to date, but massive breaches of user credentials are increasingly common. Cybercriminals have various ways of collecting passwords and private keys, ranging from breached websites to infostealer malware.

This incident is a reminder to implement account security best practices to minimize your exposure to this and similar incidents in the future. 

Some best practices to implement include:

• Ensure all passwords are strong and unique

• Enable MFA when possible

• Don’t share MFA codes or approve suspicious MFA requests

• Be wary of emails requesting sensitive information or “too good to be true” offers

• Use multi-signature wallets for on-chain accounts

• Use cold storage for crypto keys

The implications of this breach aren’t limited to retail users, as major Web3 projects could have been impacted as well, placing themselves and their users at risk. For help in developing a secure identity and account management strategy for your organization, get in touch with Halborn.