Almost 6 Billion Credentials Were Leaked Online in 2021

A new report from Atlas VPN has revealed nearly 6 billion accounts were affected by data leaks and data breaches in 2021, which made 2021 a record-breaking year for credential theft.

Atlas VPN obtained information on data breaches from multiple sources and includes reported data breaches between January 1st, 2021, and December 31st, 2021. In total, more than 5.9 million unique sets of credentials were stolen or leaked online in 2021.

  • Q1 – 4.03 billion credentials
  • Q2 – 1.42 billion credentials
  • Q3 – 357.13 million credentials
  • Q4 – 93.39 million credentials

2021 broke another record with the biggest ever batch of email/password combinations leaked online. The so-called Combination of Data Breaches (COMB) leak in February 2021 included 3.2 billion unique credentials for online accounts. To put that figure into perspective, at the time there were estimated to be around 4.7 billion people online, which equates to 70% of all Internet users and 40% of the world population. This was not a single breach naturally, but a compilation of credentials from many different breaches over the past 5 years.

2020 also saw a major leak of LinkedIn credentials with 700 million credentials released online. LinkedIn claimed this was not a breach but a large-scale data scraping incident. A further 500 million credentials were leaked again in April, although LinkedIn said they were part of the original dataset.

The third-largest release of credentials affected 533 million Facebook users. This was also claimed to be due to a data scraping event, which was made possible by exploiting a vulnerability that was patched by Facebook in 2019. In position number 4 was a 220 million breach of credentials at the Brazilian Ministry of Health, which was the largest ever data breach to occur in Brazil. The data found its way onto a darknet marketplace in January 2021. Rounding out the top 5 was a breach at the Chinese social media company SocialArks, with was due to a cloud misconfiguration and saw the credentials of 214 million users stolen, including credentials for social media accounts such as Facebook, LinkedIn, and Instagram.

The scale of the credential breaches in 2021 acts as a reminder to businesses and consumers about the importance of password security. With so much sensitive information available online and the sheer number of accounts people now have, it is inevitable that everyone will be affected by at least one data breach so it is important to make sure precautions are taken.

One of the most important steps to take is to set up 2-factor authentication on accounts. In the event of credentials being compromised, a second factor must be provided before those credentials can be used to access accounts. 2FA protections can be bypassed but, in general, enabling 2FA prevents unauthorized account access.

Many credentials are compromised using simple brute force tactics. Brute force attacks involve trying many different username and password combinations until the right one is guessed. Credential stuffing is a form of brute force attack that is much more effective. Credentials obtained in previous data breaches are used to try to access accounts. These attacks take advantage of password reuse across multiple platforms.

The importance of a password manager should not be underestimated. A password manager has a secure password generator that will generate strong, unique passwords for all accounts to protect against credential stuffing and other brute force attacks. The password database is encrypted and is protected by a master password. All a user needs to do is set one complex passphrase for their password vault and that is the only password/passphrase they will need to remember.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of