A stark new warning from the privacy-focused tech company Proton, the creators of Proton Mail, has shed light on the true scale of the data breach crisis. According to their new "Data Breach Observatory" initiative, a staggering 300 million stolen login credentials have been identified actively circulating on dark web forums and marketplaces in 2025 alone.

This alarming figure comes from Proton's project to actively monitor underground cybercriminal forums, identifying data leaks often long before the compromised companies themselves report them. The company emphasizes that this 300 million figure is not from a single hack but is the combined total from nearly 800 separate, verified data breaches this year. If unverified and aggregated data sets were included, Proton notes the true number of leaked records could be in the hundreds of billions.

The data being bought and sold by criminals includes a toxic cocktail of sensitive personal information. In nearly all cases, email addresses are exposed. This is often combined with full names (90% of cases), contact information like phone numbers (72%), and, most critically, passwords (49%). In a significant number of breaches, even highly sensitive data like social security numbers and banking information was leaked.

This year's breach list includes massive hauls from corporations across all sectors, including over 11.8 million records from Qantas Airways, 19 million from French telecom provider Free, and over 33 million from the Indian education platform SkilloVilla. The report also highlights a clear trend: small and medium-sized businesses are the primary targets, accounting for over 70% of all breaches, as they are often seen as easier targets with fewer security resources.

For the average person, this report is an urgent call to action. The widespread availability of this data fuels a massive criminal industry centered on "credential stuffing," where bots automatically test these stolen login-password combinations on other popular websites. This is why using the same password on multiple sites is so dangerous: a breach at one, low-security website can lead to your bank account or primary email being compromised.

The single most effective defense against this threat is to enable multi-factor authentication (MFA) on every account that offers it. Even if a criminal has your correct password, they cannot log in without the second code from your phone. This, combined with using a password manager to create unique, strong passwords for every site, is the foundational defense every internet user must adopt.