Written by Ed Dean
Despite the massive data breaches at McDonald’s and Yahoo, where 16 billion passwords were compromised, most people continue to use weak passwords.
Danny Mitchell, cybersecurity expert and writer for Heimdal Security (https://heimdalsecurity.com/), says cybersecurity neglect still exists.
Mitchell urges consumers to stop reusing the same login across dozens of platforms.
People still use “123456” as their only line of defense, and bad password habits continue to put billions at risk. With 94% of passwords being used to access multiple accounts and only 3% meeting basic complexity standards, cybercriminals can hack sensitive accounts with just a flick of a finger.
4 infamous password failures that made headlines
1. 16 billion passwords leaked
In June 2025, the internet was rocked by one of the largest data dumps in history. A staggering 16 billion passwords and credentials stolen in dozens of previous breaches were combined into a single breach. Some were recycled from previous cases, but millions were newly exposed. This breach exposed how reckless password reuse can be, with “admin” and “password” appearing tens of millions of times.
The impact was swift, with credentials flooding dark web markets and selling for as little as $10 each. Hackers can buy access to your social media, email, and even bank accounts with the money you pay for your take-home coffee.
2. McDonald’s Monopoly VIP accident
McDonald’s UK faced an embarrassing debacle during its 2025 Monopoly VIP Awards campaign. Due to an administrative error, database usernames and passwords were accidentally emailed to prize winners, exposing credentials for both staging and production servers. Although the production system was protected by a firewall, some recipients were able to access the staging server, which could have been potentially fatal.
The company acted quickly, changing its credentials and issuing a public apology. Still, the incident served as a costly reminder that technical mistakes can travel at the speed of email—instantly.
3. The Louvre password that made France blush
In one of this year’s more surreal cybersecurity brouhaha, a 2014 security report has resurfaced, revealing that the password for the Louvre’s CCTV network was simply “LOUVRE.” Details of a daring museum jewelry heist in 2025 have been revealed, reigniting debate about lax password policies at high-security institutions.
4. Yahoo’s multi-billion dollar breach
From 2013 to 2016, Yahoo suffered a series of cyberattacks that compromised 3 billion user accounts. This is one of the largest known breaches in history. Hackers gained access to sensitive information such as names, phone numbers, dates of birth, and security questions through theft of backups and infiltration of databases.
Yahoo’s delays in disclosure resulted in a $35 million fine and 41 class action lawsuits, and the violations were fully disclosed during Verizon’s acquisition in 2017, severely damaging public trust.
“Hackers don’t need sophisticated tools anymore,” Mitchell says. “We’re just using a bot to automate password attempts, and it’s going to try the same 10,000 simple passwords that people keep reusing. It’s shocking how often this works.”
Below, Mitchell shares the 10 most common weak passwords still in use in 2025 (which you should avoid at all costs).
123456
123456789
12345678
password
qwerty123
qwerty1
111111
12345
secret
123123
