By Ed Dean
Despite there being a major leak of a 16 billion password leak among McDonald’s and Yahoo data breaches, most people continue to use weak passwords.
Cybersecurity expert and writer for (https://heimdalsecurity.com/) Heimdal Security Danny Mitchell, says cybersecurity negligence still exist.
Mitchell tells consumers to stop reusing the same login across dozens of platforms.
People are still using “123456” as the only line of defense and poor password habits continue to leave billions exposed. With 94% of passwords used to access multiple accounts and only 3% meeting basic complexity standards, cybercriminals barely need to lift a finger to hack into sensitive accounts.
4 Infamous Password Fails That Made Headlines
1. The 16 Billion Password Mega Leak
In June 2025, the internet was rocked by one of the largest data dumps in history: a staggering 16 billion stolen passwords and credentials from dozens of past breaches combined into a single leak. While some were recycled from previous incidents, millions were newly exposed. The breach revealed just how reckless password reuse has become, with “admin” and “password” appearing tens of millions of times.
The fallout was swift, as credentials flooded dark web markets, selling for as little as $10 apiece. Hackers could buy access to social media, email, and even bank accounts for the price of a takeaway coffee.
2. McDonald’s Monopoly VIP Mishap
McDonald’s UK faced an embarrassing blunder during its Monopoly VIP prize campaign in 2025. Due to an administrative error, database usernames and passwords were accidentally emailed to prize winners, exposing credentials for both staging and production servers. While the production system was firewalled, some recipients were able to access the staging server, a near miss that could have been catastrophic.
The company acted fast, changing credentials and apologizing publicly. Still, the incident served as a costly reminder that technical mistakes can travel at the speed of email: instantaneously.
3. The Louvre Password That Made France Blush
In one of this year’s more surreal cybersecurity muck-ups, a 2014 security report resurfaced, revealing that the Louvre’s CCTV network password was simply “LOUVRE.” The detail came to light after an audacious jewel heist targeted the museum in 2025, reigniting debate about lax password policies in high-security institutions.
4. Yahoo’s Billion-Dollar Breach
Between 2013 and 2016, Yahoo suffered a series of cyberattacks that exposed 3 billion user accounts, one of the largest known breaches in history. Hackers gained access to sensitive information, including names, phone numbers, birth dates, and security questions, through stolen backups and database infiltration.
Yahoo’s delayed disclosure led to $35 million in fines and 41 class-action lawsuits, as well as a significant dent in public trust when the breach was fully revealed during Verizon’s 2017 acquisition of the company.
“Hackers don’t need advanced tools anymore,” says Mitchell. “They just automate password attempts using bots, which try the same 10,000 simple passwords that people keep recycling. It’s shocking how often it works.”
Below, Mitchell presents the 10 most common weak passwords still being used in 2025 (which you should definitely avoid):
123456
123456789
12345678
password
qwerty123
qwerty1
111111
12345
secret
123123
