Skip to content

3.7 billion email addresses were compromised in the last 20 years

  • by
  • 3 min read

In a world increasingly reliant on digital communication and online services, a concerning trend has emerged in recent decades — password leaks — that paints a sobering picture of the vulnerabilities individuals face worldwide.

A recent analysis of leaked password data conducted by Surfshark reveals that about 3.7 billion unique email addresses have been compromised since 2004. This number implies that nearly half of the world’s population has fallen victim to data breaches. Even more alarming is the fact that these email addresses were often leaked alongside passwords, resulting in a total of 9.5 billion passwords being exposed. On average, each unique email address has been breached with 2.5 passwords.

As many people use the same email for different services, a single email or account can be breached several times in separate cases. Also, according to Surfshark, 29.1% of the total breached accounts did not contain information about that person’s country of residence, so the country-specific numbers could be much higher.

Geographically, North America is the region most susceptible to password leaks, with an average of three leaked passwords per unique email address, approximately 20% higher than the global average.

Following closely is Europe and Central Asia, with 2.8 leaked passwords. Conversely, the Middle East, North Africa, Latin America, and the Caribbean fare better, with averages of 1.7 and 1.6 passwords per unique email address.

The report also identifies countries where citizens are particularly vulnerable to account takeovers. Topping the list is Congo DR, with a startling 5.7 passwords leaked per unique email account, followed by Czechia (4.2), Gambia (4.1), Italy (4), and Germany (3.8).

One interesting finding is that Iran, despite ranking 12th in total breaches count, has the lowest number of passwords leaked per unique email address, averaging just 0.03 passwords per 100 unique emails. This suggests a relatively high level of security awareness among Iranian internet users. Other countries with low susceptibility to account takeovers include Timor-Leste (30% of email accounts breached with a password), South Sudan (40%), Iraq (51%), and Guatemala (61%).

Source: Surfshark

Regarding raw numbers, Russia tops the list with 2.9 billion passwords leaked since 2004, followed by the United States with 1.8 billion, China with 915 million, Germany with 510 million, and France with 448 million.

There is some good news for Indian users. It was reported that India saw a 44% decrease in 2023’Q2 over 2023’Q1. However, there remains a lot of work to do as the total number of breaches in India is about 292 million, and the country is currently at 8th rank in the number of global accounts breached worldwide.

The methodology behind this study involved analysing global data breach statistics from 2004 to June 2023, collected from 29,000 publicly available databases. The data was then anonymised and analysed by Surfshark’s researchers to determine the ratio of unique leaked email addresses to compromised email addresses and passwords. Countries under one million were excluded from the rankings, as their impact on global statistics was negligible.

These findings are a stark reminder of the critical importance of robust online security measures in an interconnected world. You should regularly change your passwords and follow the best practices when selecting a strong password.

In the News: Dutch chipmaker NXP confirms data breach and leak of customer data


Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: [email protected]