North Americans are the most affected by password leaks

Another week, another chart! This time, we're examining the statistics related to leaked passwords. Surfshark’s Global Data Breach Statistics includes email addresses that have been leaked since 2004, many of which were breached several times and were sometimes accompanied by passwords. Keep in mind that the number of passwords far exceeds that of email addresses, as we rarely create a new email account for a service. Email addresses leaked with passwords increase the risk of accounts being taken over by the threat actors. In this chart, we’ll reveal the countries and regions that have leaked the most passwords per unique email address. So, grab your virtual surfboard as we ride the waves of leaked password stats. Let's dive in!

Key insights

• Since 2004, 3.7 billion unique email addresses have been leaked. If each person had just one email address, this would mean that half of the world’s population has been breached. Email addresses are often leaked with a password — 9.5 billion passwords have been leaked since 2004. To put this in perspective, each unique email address has been breached with 2.5 passwords.
• North America is leading the way with 3 leaked passwords per unique email address on average — almost 20% more than the global value. Following closely is Europe & Central Asia (2.8). On the other side of the spectrum are the Middle East & North Africa (1.7) and Latin America & the Caribbean (1.6).
• Countries whose citizens are the most prone to account takeover: Congo DR, with 5.7 passwords leaked per unique email account, Czechia (4.2), Gambia (4.1), Italy (4), and Germany (3.8).
• Interestingly, Iran, which ranks 12th by total breach count¹ , stands out as the country with the lowest number of passwords leaked per unique email address — 0.03 passwords per 100 unique emails on average. Statistically speaking, this means that only 3% of Iranian email addresses were leaked with a password. Following Iran are countries that are the least susceptible to account takeovers: Timor-Leste (30% of email accounts breached with a password), South Sudan (40%), Iraq (51%), and Guatemala (61%).
• When looking purely at the quantity of leaked passwords, the following countries are at the top: Russia, with 2.9 billion passwords leaked since 2004; the United States — 1.8 billion; China — 915 million; Germany — 510 million; and France — 448 million.

Methodology and sources

We looked into data breach statistics globally that occurred between January 2004 and June 2023. The data was collected by our independent partners from 29,000 publicly available databases and aggregated by email addresses. This data was then anonymized and passed on to Surfshark’s researchers to perform a statistical analysis of their findings. This study looks into the ratio of unique leaked email addresses — compromised email addresses — and passwords. Countries with a population lower than 1M were excluded from the rankings. This does not significantly impact global statistics as they account for less than 1% of the worldwide population.

Data was collected from:

References: