Proton has uncovered more than 300 million stolen login credentials actively circulating on dark web marketplaces. Nearly half of the exposed records contain passwords, making them highly exploitable by cybercriminals. The discovery was made through Proton’s new Data Breach Observatory, a monitoring platform that pulls leaked data directly from cybercrime forums, marketplaces, and other underground sources. This approach allows Proton to identify breaches at their origin rather than waiting for public disclosures by affected companies.
A New Method for Detecting Data Leaks
Proton’s Data Breach Observatory monitors hacker-operated websites and repositories where stolen data is distributed and sold. By doing so, the platform provides real-time visibility into credential leaks that might otherwise remain hidden from the public. According to Proton, the system delivers a level of threat intelligence and breach transparency that traditional monitoring solutions have failed to offer.
This proactive approach allows both individuals and organizations to take action quickly if their information appears in a leak. Instead of relying on breach announcements that may come weeks or months after exposure, users are alerted to stolen data as soon as it is identified in circulation.
What the Data Reveals
- More than 300 million unique credential sets were discovered
- 49 percent of those records included passwords
- 71 percent of the exposed credentials were linked to small and midsize businesses
Proton emphasized that these records are not part of previously known combo lists. Instead, they originate from isolated leaks and newly sourced dumps. This finding highlights the ongoing vulnerability of smaller organizations, many of which lack the technical defenses and monitoring capabilities required to detect when accounts have been compromised.
Credential Theft Is an Ongoing Threat
Despite efforts to move toward more secure authentication technologies, stolen passwords remain a critical threat vector in cyberattacks. Common issues such as password reuse, weak credential policies, and susceptibility to phishing continue to make user accounts easy targets.
In recent weeks, incidents have included an exposure of over 180 million Gmail credentials, malware targeting Android users, and security advisories from password managers warning about attempted master password compromises. These incidents show that stolen credentials are not only abundant but also actively used in campaigns against individuals and organizations across all sectors.
Stolen credentials are often sold in bulk, tested automatically across major websites, or used in targeted phishing campaigns. In some cases, the data is shared for free among cybercriminal communities to boost reputation or lure participants into private forums.
Why Credential-Based Attacks Often Go Undetected
When attackers use valid login credentials, their actions often appear legitimate to monitoring systems. No malware is deployed. No obvious intrusion is logged. The result is silent access that allows attackers to move through systems undetected for extended periods of time.
This type of breach is especially dangerous for small and midsize businesses that lack behavioral monitoring, access control enforcement, or intrusion detection tools. Without the resources to identify suspicious login activity, many of these organizations never realize they were compromised until data has already been exfiltrated or misused.
Proton’s Security Recommendations
“Data breaches targeting online services are becoming ever more frequent, with over three hundred million individual records already exposed this year on the dark web,” said Eamonn Maguire, Director of Engineering for AI and ML at Proton. He stressed the need for early detection and stronger user-side defenses to limit the fallout of credential leaks.
To reduce the risk of account compromise, Proton recommends the following:
- Use breach monitoring tools to check whether your credentials have been exposed
- Create strong, unique passwords for each account and update them regularly
- Adopt passkeys or passwordless authentication where available
- Enable two-factor authentication on every important service
- Stay informed by following reliable cybersecurity resources
- Use real-time protection and identity theft prevention tools like Malwarebytes to defend against credential-stealing malware
Passwords Are Still the Weakest Link
While some platforms are beginning to adopt passwordless technologies, the vast majority of online services still depend on traditional credentials. This leaves users vulnerable to the continued flow of stolen login data across the dark web. Proton’s findings confirm that password-based attacks are not only persistent but also increasingly efficient for cybercriminals.
In many cases, successful breaches occur without a single piece of malware being deployed. Instead, attackers rely on stolen usernames and passwords to gain quiet access to systems and data. For this reason, users must treat credential hygiene as a critical component of their digital safety strategies.
Anyone concerned about infostealers or password-harvesting threats should invest in early warning systems, use secure authentication methods, and regularly audit their account security practices.
