19 Billion Passwords Are Circulating. The Number Isn’t the Story

The article contends the sensational "19 billion passwords" headline largely reflects aggregated, duplicate data and infostealer-exfiltrated browser credentials rather than a single new breach. It advises CISOs to assume passwords are already compromised, prioritize phishing-resistant MFA (passkeys, FIDO2), deploy credential monitoring and login-time risk signals, stop relying on SMS OTP, and execute an incremental passwordless migration rather than mass forced resets.