Proton Uncovers 300 Million Stolen Credentials on Dark Web — Nearly Half Contain Passwords

Proton, the Swiss privacy and security company known for Proton Mail and Proton VPN, has revealed a shocking discovery: more than 300 million stolen credentials are currently being traded on dark web criminal marketplaces. Nearly half of these compromised records include actual passwords, exposing both individuals and organizations to escalating cyber risks in 2025.

The findings come from Proton’s newly launched Data Breach Observatory, a platform designed to monitor and analyze real-time data leaks circulating across the dark web. The report paints a grim picture of the growing global credential theft epidemic that continues to cripple businesses — particularly small and mid-sized firms — across sectors.

Proton Uncovers 300 Million Stolen Credentials on Dark Web

Table of Contents

Small Businesses Hit the Hardest

Proton’s observatory identified 794 distinct breach incidents since January 2025. What’s particularly alarming is that small and medium-sized businesses (SMBs) suffered the brunt of the damage.

Companies with fewer than 250 employees made up 71% of all breaches, according to the report. Within this group, organizations employing 10–49 workers and 50–249 workers represented 48% of total breaches, while microbusinesses with under 10 employees accounted for another 23%.

“Data breaches targeting online services are becoming increasingly common, with over a hundred million records already appearing on the dark web this year,” said Eamonn Maguire, Proton’s Director of Engineering for AI & ML.

The retail and wholesale sectors were the most targeted, comprising 25% of all known breaches, followed by technology companies at 15%.

The financial implications are severe. For smaller organizations, the average cost of a data breach ranges from $120,000 to $1.24 million, with extreme cases surpassing $3.3 million. The National Cybersecurity Institute warns that over 60% of small to mid-sized firms close permanently within six months of a cyberattack — underscoring just how devastating credential theft can be.

Credential Theft Reaches Record Highs

Proton’s findings coincide with a broader industry surge in credential theft. Research from Check Point shows a 160% year-over-year increase in credential-related breaches in 2025 alone.

According to the new Proton data, email addresses appear in 100% of exposed datasets, while names appear in 90%, contact details in 72%, and passwords in 49%.

This massive exposure is fueled by one persistent problem: password reuse. Proton’s analysis shows that 94% of compromised passwords were also used on multiple platforms.

Despite rising cybersecurity awareness, many users — especially younger ones — continue unsafe habits. In fact, 72% of Gen Z users admit to reusing passwords across accounts, compared to 42% of Baby Boomers. This creates a domino effect: once a single login is compromised, hackers can gain access to dozens of linked accounts.

Inside Proton’s Data Breach Observatory

Proton’s Data Breach Observatory operates in partnership with Constella Intelligence, a cybersecurity firm specializing in dark web intelligence. Unlike most breach databases that rely on voluntary reporting by affected organizations, Proton’s system collects data directly from underground criminal forums, offering near real-time insight into emerging threats.

The observatory continuously scans marketplaces where hackers trade, sell, or leak stolen datasets — often for cryptocurrency — to monitor newly posted credentials before they spread widely.

This proactive approach allows Proton to alert organizations earlier, sometimes even before they become aware of the compromise themselves. The platform’s goal is not just detection, but prevention, giving companies and consumers a chance to take protective action — such as resetting passwords, enforcing two-factor authentication, or tightening access control — before major damage occurs.

“Our mission is to bring transparency to the hidden layers of cybercrime and provide actionable intelligence,” Maguire added. “By illuminating what’s being sold on the dark web, we empower users and companies to respond faster.”

The Broader Implications

Proton’s revelations highlight a critical challenge for the digital world in 2025: the intersection of convenience, security, and privacy. As more individuals rely on cloud services, connected apps, and AI-driven platforms, credentials have become the new gold of the dark web — fueling identity theft, fraud, and ransomware attacks.

Experts emphasize that this surge in credential theft could have long-term ripple effects on trust in digital platforms, especially as attackers automate the exploitation process using AI-powered tools.

For Proton, the Data Breach Observatory is part of a broader effort to raise public awareness about cybersecurity and push for stronger data protection standards across industries.