UAE-based cybersecurity experts are urging companies to boost password security to stay ahead of emerging threats in every aspect of operations, following news over the weekend that more than 16 billion login credentials globally were found exposed.

The breach contains usernames and passwords from tech giants like Apple, Google, Facebook, Telegram, GitHub, and even some government websites, according to researchers at Cybernews, who said the findings were the result of an ongoing investigation that the team started early this year. 

They warned: “With more than 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing. It is especially alarming that these aren’t just old breaches being recycled. This is fresh, weaponisable intelligence at scale.”

Stay up to date with the latest news. Follow KT on WhatsApp Channels.

Speaking to Khaleej Times, Dubai-based cybersecurity expert Rayad Kamal Ayub said: “The gravity of this situation cannot be overstated. This is weaponising intelligence at scary scales for extortion.

“With such a significant number of login records compromised, the potential for abuse is immense. Cybercriminals can leverage these fresh datasets to orchestrate more sophisticated attacks, making it easier for them to impersonate individuals and gain access to sensitive information. The fact that these records are recent means that they reflect current user behaviours and trends, which can enhance the effectiveness of phishing attempts and other forms of exploitation,” added Ayub, who is also the managing director of Rayad Group.

Rayad Kamal Ayub. Photo: Supplied

Ayub said although the UAE has achieved a top-tier classification in the Global Cybersecurity Index 2024, it is strongly advised for organisations to boost password security by using password managers, enforcing minimum length and complexity standards, and enabling multi-factor authentication. Companies should also regularly audit access controls, monitor for credential leaks, and adopt real-time detection solutions.

“It is advisable to hire professionals or cybersecurity companies to maintain databases and access control. Hospitals, banks and retailers should keep their data unencrypted and not put customers at risk,” added Ayub, who noted in the data leak  ‘Ana’ appeared in 178.8 million instances. 

Joker, Batman, Thor, apple, rice used as passwords

Ayub said profane language also showed up in 165 million passwords, while few of the frequently used pop culture terms in passwords included ‘Mario’ (9.6 million), ‘Joker’ (3.1 million), ‘Batman’ (3.9 million), and 'Thor' (6.2 million).

More than 10 million of the passwords featured ‘apple’, 4.9 million passwords have ‘rice’, and 3.6 million 'orange', while 3.3 million opted for 'pizza'.

Carolyn Duby, field CTO and cybersecurity GTM lead at Cloudera, noted: “Cybercrime is expected to cost the world $10.5 trillion by 2025, having already cost $9.5 trillion in 2024 alone.

“Attacks by ransomware now happen every 11 seconds, and the average cost of a data breach has increased to $4.88 million. Companies using automation and artificial intelligence (AI) in their security operations are saving $2.22 million on average for each breach. 

Carolyn Duby. Photo: Supplied

Duby underscored “data is both a strategic asset and a prime target". Protecting data at scale calls for intelligence, adaptability, trust, and immediate call to action to avoid massive data breaches. 

She recommended the first and most crucial step in protecting consumer trust is securing critical and personally identifiable information (PII). “All data is equal in the eyes of AI, and will be used blindly, unless proper parameters are set,” she underscored.

Detect, protect, defend, repeat

Louise Bou Rached, director–Middle East, Turkey, and Africa at Milestone Systems, reiterated: "Today, protecting the future of innovation, reputation, and digital freedom requires more than just preventing breaches.

“Companies must implement a layered, zero-trust strategy that goes beyond reactive defense and involves constant verification of each user, device, and application. Strong access controls, multi-factor authentication, endpoint security, and frequent security audits are all part of this,” she added.

Louise Bou Rached. Photo: Supplied

Maintaining basic cyber hygiene is essential. But more importantly, according to the cybersecurity experts, protecting companies from cyberthreats is a collective thrust.

“Cybersecurity is now a fundamental component of trust, resilience, and business continuity in today's hyperconnected world, not just an internal IT function,” Rached pointed out, underscoring: “Given that even the most sophisticated systems can be compromised with a single click, encouraging staff members through cybersecurity awareness training is equally crucial.”

UAE: Cybercriminal arrested for trying to embezzle Dh2.8 million in phishing scam TikTok prank based on real fraud: How cybercriminals in UAE convince victims to call them Dubai Police to boost global cooperation to combat cybercrimes, money laundering