Authentication breaches expose the credentials that prove who you are online: usernames, email addresses, passwords (whether plaintext, hashed, or salted), session tokens, security questions and answers, API keys, and multi-factor authentication seeds. In many incidents, attackers also walk away with the supporting data tied to login systems — password reset tokens, phone numbers used for SMS verification, and recovery email addresses. The 2013 Yahoo breach, the largest authentication breach on record, exposed names, email addresses, dates of birth, hashed passwords, and unencrypted security questions for all three billion user accounts.
The damage rarely stops at a single account. Because roughly two-thirds of people reuse passwords across services, a credential set stolen from one site becomes a master key for others through credential stuffing attacks. When RockYou was breached in 2009, the 32 million plaintext passwords it leaked became a foundational wordlist that attackers still use today to crack hashed passwords from other breaches — a reminder that exposed authentication data has an unusually long shelf life.
Table of Contents
- What Specific Data Do Authentication Breaches Actually Expose?
- Password Hashes and Why “Encrypted” Doesn’t Mean Safe
- Multi-Factor Authentication Data Can Be Stolen Too
- How to Assess Your Exposure After a Credential Breach
- The Secondary Market for Stolen Credentials
- API Keys and Machine Credentials Are Part of the Blast Radius
- Security Questions Outlive Every Other Exposed Credential
- Frequently Asked Questions
What Specific Data Do Authentication Breaches Actually Expose?
The core payload of an authentication breach is the credential pair: a username or email address combined with a password. How dangerous that exposure is depends heavily on how the password was stored. Plaintext passwords, like those leaked in the RockYou incident, are immediately usable. Passwords hashed with weak algorithms like MD5 or SHA-1 without salting — as in the 2012 LinkedIn breach, where 117 million SHA-1 hashes were cracked at scale — offer only a speed bump. Passwords protected with modern algorithms like bcrypt or Argon2 can resist cracking for years, though weak passwords still fall quickly even under strong hashing.
Beyond the password itself, authentication databases typically store security questions and answers, which are often kept in plaintext even when passwords are hashed. Yahoo’s breach exposed unencrypted security questions, which is arguably worse than exposing hashed passwords: you can change a password in seconds, but you cannot change your mother’s maiden name or the street you grew up on. Those answers remain valid for account recovery on every other service that uses them. Session tokens and authentication cookies are a third category. The 2023 Okta support system breach showed how stolen session tokens let attackers impersonate logged-in users without ever needing a password, bypassing both the credential check and any multi-factor prompt.
Password Hashes and Why “Encrypted” Doesn’t Mean Safe
Companies frequently describe breached passwords as “encrypted” in disclosure notices, but in practice most are hashed — a one-way transformation that attackers can reverse through brute-force guessing. Modern GPU rigs can compute billions of MD5 hashes per second, meaning an unsalted MD5 database of common passwords can be substantially cracked within hours. The 2016 disclosure of the 2012 Dropbox breach illustrated the spectrum: about half the 68 million passwords were hashed with bcrypt and held up well, while the older half used salted SHA-1 and were far more vulnerable. The limitation users should understand is that hash strength only buys time, and only for strong passwords.
A password like “Summer2024!” will be cracked under any hashing scheme because attackers test common patterns first. Hashing also does nothing to protect the email addresses, usernames, and metadata stored alongside the password, which are nearly always in plaintext and immediately useful for phishing. There’s a second warning here: breach disclosures often arrive years late. LinkedIn initially reported 6.5 million affected accounts in 2012; the true figure of 117 million surfaced in 2016 when the data went up for sale. During that gap, anyone who hadn’t changed their password remained exposed without knowing it.
Multi-Factor Authentication Data Can Be Stolen Too
MFA is not immune to breach exposure. When Twilio was compromised in August 2022, attackers gained access to systems supporting its Authy two-factor authentication service, and the broader campaign (dubbed “0ktapus”) harvested one-time passcodes through phishing pages that relayed codes to attackers in real time. Authentication breaches can expose TOTP seed values — the shared secrets that generate the rotating six-digit codes — and a stolen seed lets an attacker generate valid codes indefinitely until the user re-enrolls.
Phone numbers tied to SMS-based two-factor authentication are another commonly exposed asset. Once leaked, they enable SIM-swapping attacks, where an attacker convinces a carrier to port the victim’s number to a new SIM and intercepts verification codes. The 2021 T-Mobile breach exposed phone numbers alongside Social Security numbers for more than 40 million people, materially raising the SIM-swap risk for affected customers. This is a structural weakness of SMS-based MFA: the second factor depends on data that breaches routinely expose.
How to Assess Your Exposure After a Credential Breach
The practical first step is determining whether your credentials appear in known breach corpuses. Have I Been Pwned indexes more than 14 billion breached accounts and lets you search by email address or check a password against the Pwned Passwords database without transmitting the password itself (it uses k-anonymity hashing). Most major password managers — 1Password, Bitwarden, Apple’s iCloud Keychain — now run automated breach monitoring against similar datasets. The tradeoff to understand is between password rotation and password uniqueness.
Forced periodic rotation of passwords tends to produce weaker, pattern-based passwords (“Password1” becomes “Password2”), which is why NIST guidance since 2017 has recommended against scheduled rotation. Uniqueness matters far more: a unique random password confines a breach’s damage to one account, while a reused strong password spreads it everywhere. If you can only do one thing after a breach notice, change the exposed password anywhere you reused it — attackers run credential stuffing campaigns within days of a dump appearing, and Akamai has measured billions of stuffing attempts per month across its network. For accounts that support it, hardware security keys or passkeys remove the reusable secret entirely. There is nothing to crack in a breach because the server stores only a public key.
The Secondary Market for Stolen Credentials
Stolen authentication data doesn’t disappear after the initial breach — it gets aggregated, repackaged, and resold. “Combo lists” merge credentials from dozens of breaches into searchable databases; the 2021 “RockYou2021” compilation circulated 8.4 billion password entries, and the 2024 “RockYou2024” file pushed that close to 10 billion. Credentials sell cheaply: ordinary account logins go for a few dollars or less, while verified bank or crypto exchange credentials command $100 or more on dark web markets.
A warning that’s frequently overlooked: infostealer malware has become a major supplement to server-side breaches. Stealers like RedLine and Lumma harvest saved browser passwords, cookies, and session tokens directly from infected personal machines, then feed marketplaces with fresh, pre-validated credentials. This means your credentials can be “breached” even if no company you use was ever hacked. The 2024 Snowflake-related incidents, which affected customers including Ticketmaster and AT&T, traced back largely to credentials harvested by infostealers years earlier from accounts that lacked MFA — some of the credentials used were stolen as far back as 2020.
API Keys and Machine Credentials Are Part of the Blast Radius
Authentication breaches increasingly expose machine identities, not just human ones. The 2023 CircleCI breach forced thousands of companies to rotate API tokens, OAuth keys, and SSH keys that had been stored in the CI platform’s environment variables.
Unlike a user password, a leaked API key often carries broad programmatic access — read/write permissions to cloud storage, payment systems, or source code — and frequently lacks any second factor. GitHub’s secret scanning detected over 39 million leaked secrets in repositories during 2024 alone, most committed accidentally by developers.
Security Questions Outlive Every Other Exposed Credential
Of everything an authentication breach exposes, knowledge-based recovery answers age the worst. Yahoo’s 2013 breach leaked unencrypted security questions and answers; those same facts — first pet, birth city, high school mascot — remained usable for account recovery attacks on unrelated services more than a decade later.
The 2008 compromise of Sarah Palin’s Yahoo email account demonstrated the weakness early: the attacker reset her password using her birthdate, ZIP code, and where she met her spouse, all findable through public records and Wikipedia. Google research from 2015 found that attackers could guess answers to common security questions like “favorite food” within ten tries nearly 20% of the time for English speakers, which is why most major providers have since deprecated security questions in favor of recovery codes and secondary devices.
Frequently Asked Questions
Are hashed passwords safe if they’re exposed in a breach?
Not necessarily. Weak hashing (MD5, unsalted SHA-1) can be cracked at billions of guesses per second, and weak passwords fall even under strong hashing like bcrypt. Treat any exposed password as compromised.
Can attackers bypass two-factor authentication with breached data?
Yes, in several ways: stolen session tokens skip login entirely, leaked TOTP seeds generate valid codes, and exposed phone numbers enable SIM-swapping against SMS-based codes.
How do I find out if my credentials were exposed?
Search your email address on Have I Been Pwned, and use a password manager with built-in breach monitoring. Many services also notify users directly, though sometimes years after the fact.
Should I change all my passwords after a breach?
Change the breached password immediately, plus that same password anywhere you reused it. Unique passwords per site confine future breaches to a single account.
Why are security questions worse to expose than passwords?
Passwords can be changed in seconds; your mother’s maiden name and birth city cannot. Leaked answers remain valid for account recovery indefinitely across any service that uses them.