Proton Unveils Staggering Scale of Dark Web Credential Trade: 300 Million Records Exposed, 49% Include Passwords
New Data Breach Observatory shines unprecedented light on underground economy trafficking in stolen credentials, revealing small businesses bear the brunt of cybercrime
GENEVA— Privacy-focused tech firm Proton has pulled back the curtain on the shadowy world of dark web credential trading, revealing that more than 300 million individual records have been compromised in nearly 800 verified data breaches during 2025 alone. Perhaps most alarming: nearly half of these stolen records include actual passwords, providing cybercriminals with ready-made keys to unlock victims’ digital lives.
The findings, released through Proton’s newly launched Data Breach Observatory, represent the most comprehensive public accounting of dark web credential trafficking to date. Unlike traditional breach notification systems that rely on companies voluntarily disclosing incidents, Proton’s platform actively monitors criminal marketplaces where stolen data is bought and sold, often revealing breaches that affected organizations never publicly acknowledged.
“We’re not waiting for companies to come clean anymore,” Eamonn Maguire, Proton’s Director of Engineering for AI and Machine Learning, told The Cyber Reporter in an exclusive interview. “Our team is going directly to the source—the dark web forums and criminal marketplaces where this stolen data actually changes hands. What we’re finding is both alarming and, frankly, predictable given the current state of password security.”
The Hidden Economy of Stolen Credentials
The scope of the problem extends far beyond the 300 million figure, which represents only verified breaches tied to specific, identifiable companies. When Proton’s researchers include aggregated “combo lists”—massive compilations that bundle stolen data from multiple sources—the true scale balloons to approximately 1,571 incidents affecting hundreds of billions of records.
The anatomy of these stolen datasets reveals a disturbing pattern. According to Proton’s analysis, email addresses appeared in 100% of the breached records examined, while full names featured in 90% of cases. Contact information such as phone numbers and physical addresses showed up in 72% of breaches. Most concerning, passwords—often stored in plaintext or using weak encryption—were present in 49% of the compromised datasets.
“Think about what that means,” explained Dr. Rebecca Martinez, a cybersecurity researcher at Stanford University who reviewed Proton’s methodology. “When criminals get their hands on a record that includes both an email address and a password, they’re not just getting access to one account. Most people reuse passwords across multiple services, so that single compromised credential becomes a skeleton key to someone’s entire digital life—their banking, social media, work accounts, everything.”
The trading of these credentials on dark web marketplaces has become a sophisticated economy unto itself. Prices vary based on the freshness and completeness of the data, with records containing financial information or corporate access credentials commanding premium prices. Some vendors even offer customer support and “guarantees” that the stolen credentials are still valid.
Small Businesses: The Forgotten Victims
One of the most striking revelations from Proton’s research is the disproportionate impact on small and medium-sized businesses (SMBs). A staggering 71% of the verified breaches affected companies with fewer than 250 employees, with firms employing between 10-49 people accounting for much of this vulnerability.
“This finding challenges a common misconception that cybercriminals only target large corporations,” noted Michael Chen, a former FBI cybercrime investigator now working in private sector security consulting.”
“The reality is that small businesses often have valuable data but lack the security infrastructure and expertise of larger enterprises. They’re easier targets, and there are far more of them.”
The industry breakdown provides additional insight into the threat landscape. Retail and wholesale businesses bore the brunt of attacks, accounting for 25.4% of breaches, followed by technology firms at 15% and media or entertainment companies at 11%[5]. These sectors share common characteristics: they handle large volumes of customer data, often operate on thin margins, and may lack dedicated cybersecurity staff.
“I can tell you from personal experience, when you’re running a small retail operation, cybersecurity often takes a backseat to just keeping the doors open,” shared Jennifer Walsh, owner of a mid-sized e-commerce business in Portland that was not affected by these breaches but recognizes the vulnerability. “You’re worried about inventory, payroll, customer service—and then someone tells you that you need a dedicated security team and enterprise-grade monitoring tools. For most small businesses, that’s simply not realistic.”
The Data Breach Observatory: A New Approach to Transparency
Proton’s Data Breach Observatory represents a significant departure from traditional breach disclosure models. Rather than waiting for affected companies to report incidents—which many are reluctant to do unless legally required—the platform actively monitors dark web sources to identify breaches as stolen data appears in criminal marketplaces.
The system, developed in partnership with threat intelligence firm Constella Intelligence, employs sophisticated data analysis to verify breaches, identify affected organizations, and categorize the types of data compromised. The platform updates in near real-time and publishes details of newly discovered breaches regardless of whether the affected companies have chosen transparency.
“There’s a fundamental information asymmetry in the current system,” Maguire explained. “Companies know when they’ve been breached, but they often have strong incentives not to disclose—fear of reputational damage, regulatory fines, customer lawsuits. Meanwhile, the people whose data was stolen remain in the dark, unable to take protective action. We’re trying to fix that imbalance.”
The Observatory differs from existing services like HaveIBeenPwned in its approach to data sourcing and real-time monitoring. While services like HaveIBeenPwned aggregate breach data from various sources including GDPR notifications and researcher disclosures, Proton’s platform focuses specifically on systematic monitoring of criminal sources, potentially catching breaches months or years before they surface through official channels.
The Human Cost: Beyond the Numbers
Behind the statistics lie real human consequences that can devastate individuals and families. Identity theft, financial fraud, and account takeovers represent just the immediate impacts. The psychological toll of having personal information stolen and traded in criminal marketplaces can be equally damaging.
“When I discovered my information was part of a breach, it felt like a violation,” said Thomas Rodriguez, a software developer in Austin whose credentials appeared in multiple dark web datasets. “It wasn’t just about changing passwords—though I had to do that for about 40 different accounts. It was the knowledge that strangers were trading my personal information like a commodity. I spent months looking over my shoulder, checking my credit reports weekly, wondering if someone was going to drain my bank account or take out loans in my name.”
The sensitive nature of some breached data compounds these concerns. Proton’s research found that 34% of the compromised datasets included sensitive information such as healthcare records, government-issued identification numbers, or financial account details[2][5]. This type of data enables more sophisticated fraud schemes and can have lasting consequences for victims.
The Password Problem: A Security Model Under Siege
At the core of this crisis lies a fundamental vulnerability: the continued reliance on password-based authentication. Despite years of warnings from security experts and increasing adoption of alternatives like biometric authentication and hardware security keys, passwords remain the primary gatekeeping mechanism for most online services.
“Passwords are inherently insecure,” stated Dr. Sarah Kim, a cryptography expert at MIT. “They’re vulnerable to phishing, keylogging, credential stuffing attacks, and simple human error like reuse across multiple sites. We’ve known this for decades, yet the industry has been remarkably slow to move beyond them.”
The challenge is both technical and behavioral. While alternatives like passkeys and biometric authentication offer superior security, they require users to change long-established habits and often depend on newer devices or software that not everyone has access to. Meanwhile, the friction introduced by more secure authentication methods—such as hardware tokens or complex multi-factor authentication—can frustrate users and reduce adoption.
“There’s a constant tension between security and convenience,” explained Chen, the former FBI investigator. “Users want seamless, frictionless experiences, but strong security inherently introduces some friction. Companies that add too much friction risk losing customers to competitors with easier login processes. It’s a difficult balance.”
The Role of Corporate Responsibility
Proton’s decision to launch the Data Breach Observatory also raises important questions about corporate responsibility and disclosure obligations. By publicly identifying breaches that companies have chosen not to disclose, the platform essentially forces transparency on organizations that might prefer to keep quiet.
“This creates an interesting ethical and legal dynamic,” noted Jessica Lin, a technology law professor at Columbia University. “On one hand, consumers clearly have a right to know when their data has been compromised. On the other hand, there are legitimate concerns about false positives, the impact on companies’ reputations, and whether private entities should be making these determinations rather than regulatory bodies.”
Proton has attempted to address these concerns through rigorous verification processes and a focus on confirmed breaches where stolen data has actually appeared on dark web marketplaces. The company also emphasizes that its goal is not to shame businesses but to create incentives for better security practices and more transparent breach disclosure.
“We’re not trying to destroy companies or create panic,” Maguire clarified. “Our aim is to provide accurate information that helps people protect themselves and encourages organizations to take security seriously. If companies know that breaches will be discovered and disclosed regardless of their own reporting decisions, maybe that changes the calculus and leads to more proactive security investments.”
Immediate Steps for Protection
Given the massive scale of credential compromise revealed by Proton’s research, cybersecurity experts are urging individuals and businesses to take immediate protective action:
For Individuals:
– Check whether your credentials have been compromised using services like Proton’s Data Breach Observatory or HaveIBeenPwned
– Change passwords immediately for any affected accounts, using unique, strong passwords for each service
– Enable two-factor authentication (2FA) on all accounts that support it, preferably using app-based authenticators or hardware keys rather than SMS
– Consider using a password manager to generate and store unique passwords for each service
– Transition to passkeys whenever they’re available as an option
– Monitor financial accounts and credit reports regularly for signs of fraud
For Businesses:
– Implement robust security practices including encryption, regular security audits, and employee training
– Adopt breach detection and response plans that include prompt notification of affected individuals
– Consider investing in dark web monitoring services to identify compromised credentials
– Move toward passwordless authentication methods where feasible
– Ensure that any passwords stored in databases are properly hashed using modern, strong algorithms
Looking Forward: A Long Road Ahead
The launch of Proton’s Data Breach Observatory marks a significant step toward greater transparency in the ongoing battle against cybercrime, but it also underscores just how far the industry has to go. With hundreds of billions of records potentially compromised and dark web markets continuing to thrive, the credential theft problem shows no signs of abating.
“This is a systemic issue that requires systemic solutions,” concluded Dr. Martinez from Stanford. “No single company or technology is going to solve it. We need a combination of better authentication technologies, stronger legal frameworks for breach disclosure, more aggressive law enforcement action against cybercriminals, and a fundamental shift in how we think about digital identity and access control.”
For now, the best defense remains vigilance—regularly checking for compromised credentials, using strong and unique passwords, enabling multi-factor authentication, and staying informed about emerging threats. Proton’s Data Breach Observatory provides a valuable tool for that vigilance, even as it reveals the daunting scale of the challenge ahead.
“Knowledge is power,” Maguire reflected. “We may not be able to prevent every breach or catch every criminal, but we can arm people with the information they need to protect themselves. That’s what the Data Breach Observatory is all about—turning the light on in the dark web and giving people a fighting chance.”
*The Cyber Reporter will continue monitoring developments in credential security and dark web activity. Readers can check whether their credentials have been compromised by visiting Proton’s Data Breach Observatory at
proton.me/business/passbreach-observatory
This investigation included interviews with cybersecurity experts, law enforcement officials, breach victims, and Proton’s research team. The reporter has independently verified the methodology used in the Data Breach Observatory research.
