The Specops Software research team has released a new research report titled “Heatmap of 10 million breached passwords: 98.5% are weak.”
This is from analyzing 10 million random passwords from the 1 billion+ breached password list used by Specops Password Auditor —all are real compromised passwords that have been captured by Specops.
In a visual heatmap that mapped out common length and complexity combinations, the researchers found that only 1.5% of these 10 million passwords could be considered ‘strong.’ The findings show that organizations are still allowing users to create weak passwords that could be used as simple attack routes for hackers.
The research coincides with the latest addition of over 13 million compromised passwords to the Specops Breached Password Protection service. These passwords come from a combination of our honeypot network and threat intelligence sources.
Commenting on the report, Darren James, Senior Product Manager, said: “Despite years of training, many users still choose weak, easily guessed combinations that cybercriminals can crack in seconds. To bring this risk into sharp relief, our research team analyzed 10 million real-world passwords and plotted them on a heatmap measuring strength by both length and complexity. This visual ‘strength landscape’ shows how organizations need to adjust their password policies to move end users’ Active Directory passwords away from the zone of risk into the zone of security.”
Hundreds of e-stores were exposed by an insecure Shopify plugin
Posted in Commentary with tags Cybernews on July 15, 2025 by itnerdThe Cybernews research team has discovered that Consentik, a Shopify plugin designed to help merchants comply with privacy laws such as GDPR, LGPD, and CCPA, was exposing hundreds of online stores, broadcasting real-time site analytics and private authentication tokens.
Key research takeaways
What was leaked?
Significance of this leak
This data leak puts e-commerce businesses operating in sectors like fashion, cosmetics, fitness, and consumer electronics at risk, and may have allowed anyone to intercept with admin-level access.
In the wrong hands, a valid Shopify token can mean total control of a store, including customer data access, price manipulation, malicious code injection, or even replacing entire storefronts with lookalike phishing pages.
Additionally, these kinds of compromises can seriously damage a brand’s trust with users. In the EU and California, such oversights could bring legal scrutiny, fines, or even class-action litigation.
To read the full research report and see samples of leaked screenshots, please click here.
Leave a comment »