ThisThis is a map of the internet’s biggest sources of breached data, from June 2011 to today.
The data is drawn from Troy Hunt’s Have I Been Pwned project (with minor adjustments), so you can click through to the site to see if you’re included. Each bubble represents a single breach, and as you scroll down, you’ll see them getting bigger and coming faster, until the sheer volume is overwhelming.
Crucially, they build on each other: if your favorite password didn’t leak out in the Dropbox breach, hackers could have gotten it from LinkedIn, Yahoo, or hundreds of others. (This, as you probably know, is why you need a unique password for each service.)
This isn’t a comprehensive list of every breach in history — it’s a safe bet we don’t know about some yet — but it’s a good survey of the login credentials available on the internet today. We’ve included a cumulative scale marker to give a sense of the full scope. We were a little surprised to find that the database contains more usernames than there are human beings alive on Earth. Of course, with more than 500 separate breaches, there’s ample opportunity for human beings to double up on leaked accounts but the scale of compromised information is still staggering.
We usually talk about breaches as isolated incidents, like a single point of failure with a specific cause and effect. But seen from this vantage, the story is less about any single company, and more about the all-consuming entropy of information online. Something is always breaking, some secret is always slipping out. The real work of cybersecurity is managing that entropy — building a raft of stability in a system where all credentials may eventually be breached and all protections may eventually break down.