The Largest Password Leak in History! China Launches National Login System, Apple Accelerates Passkey Adoption
GM,
Can you believe 2025 is already halfway over? Starting next week, Blocktrend will be taking its annual mid-year publishing break. That means four articles and two podcast episodes will be on pause—think of it like scheduled maintenance. Even though the car (my brain) still runs fine, we can’t wait until it breaks down on the side of the road to deal with it. So, this will be the final article for the first half of 2025.
Also, Etherfi recently released its referral leaderboard. Thanks to everyone who enthusiastically applied for the card through my link, I’ve skyrocketed to the top as the global referral champion—with nearly 400 successful referrals, far ahead of the second place. You can even see how much cashback I’ve earned so far—1% of the total spending by referred users. Whether I strike it rich now depends on how hard you all keep spending (just kidding… sort of).
Finally, the once-every-100-issues Blocktrend Lifetime Membership Upgrade Campaign is in its final countdown. It will officially close on June 26 at 24:00. This time, I noticed an interesting trend: most of the people upgrading to lifetime membership are free readers—jumping straight from NT$0 to the top-tier plan. I’d love to hear your reasons if you’re one of them—seriously curious 😂 For those who haven’t upgraded yet, no worries if you miss this round. We’re already at Issue #702, and #800 will be here before you know it.
Let’s get into it. This article combines three major recent developments into one discussion. We'll start with something that, unfortunately, no longer surprises anyone: another massive password leak.
Apple and Google Potentially Compromised
Yes—yet another data breach.
In recent days, global tech media have reported what’s being called “the largest data leak in history.” According to a report by Lithuania-based cybersecurity outlet Cybernews, over 16 billion login credentials have been leaked since the beginning of this year. The data allegedly includes credentials from Apple, Google, Facebook, Telegram, GitHub, and even various government entities. What’s more, these credentials are already packaged and being sold on the dark web at rock-bottom prices.
Usernames and passwords are a form of login credentials. A leak of 16 billion sets means, on average, two sets per person globally. Considering that many people reuse the same login for multiple services, the actual scope of impact is likely far broader. The reason I included “allegedly” in the headline is because the authenticity of this breach has not yet been independently verified. Cybernews briefly released the raw data, but later chose not to keep it public. As a result, it’s extremely difficult for everyday users to confirm whether their own information was compromised.
The leaked data reportedly includes large quantities of sensitive information such as usernames, passwords, cookies, and more. While releasing such data could increase public trust in the report, it would also effectively hand the information over to malicious actors for free. Cybernews’ approach aligns with standard practices in global cybersecurity: raise awareness while minimizing potential harm.
It’s also important to note that the 16 billion leaked credentials didn’t come from a single massive breach. Instead, the number reflects a gradual accumulation over many years. One of the biggest contributors may be China. Just a few weeks ago, Cybernews uncovered the largest known data breach in Chinese history, involving over 4 billion data entries totaling 631 GB. The leak included WeChat and Alipay user credentials, financial information, and even residential addresses.
For readers in Taiwan, these headlines hit uncomfortably close to home. There's a good chance you and I are among those 16 billion records. Over the past few years, many websites have been phasing out password-only login systems, especially in the cryptocurrency space. Most crypto exchanges now require two-factor authentication (2FA) for deposits and withdrawals, aiming to prevent financial loss from compromised credentials.
Still, all these measures are ultimately just damage control. The real long-term solution is to move beyond passwords entirely. Recently, the Chinese government announced the official launch of its “National Login” system — a state-backed digital identity touted as a kind of bulletproof vest for personal information.
National Login Officially Launched
As early as 2023, the Chinese government began developing a real-name, decentralized digital identity system known as RealDID. At the time, I described it as “upgrading social login to national login.” Now, the system has officially gone live, and Chinese citizens can download the “National Cyber Identity Authentication App” to obtain a state-endorsed online identity.
According to China’s state media outlet CCTV Finance, the system adopts a dual-track design of “Net ID + Net Certificate,” which converts traditional ID card information into an encrypted digital credential. Take train ticket purchases as an example: currently, citizens must not only create an account and password, but also enter their mobile number and ID number for real-name verification. If the platform is hacked, all this information is at risk of being leaked.
With the launch of the National Login system, users can log in to ticketing websites with a single click, eliminating the need to set passwords or repeatedly verify their identity. The platform only needs to verify the correctness of a private key signature, meaning there’s no need to collect or store personal data.
Officials claim this is like a “digital bodyguard” developed by the Ministry of Public Security, capable of reducing over 20 million instances of identity data exposure per day, and addressing cybersecurity threats caused by corporate data breaches.
From a technical perspective, upgrading traditional username-password logins to public-private key authentication is indeed a more secure approach. The “Net ID” functions like a wallet address that contains no personal information, while the “Net Certificate” is a digitally signed credential—linked to a private key stored on a user’s mobile device—that proves one’s identity online. It’s similar to how someone who can move coins from Satoshi Nakamoto’s wallet doesn’t need an ID to prove they’re Satoshi.
The National Login also effectively eliminates corporate-controlled social login, returning control of identity to just two parties: the state and the individual. The government holds the mapping between the Net ID and real identity, while individuals use their mobile phones to hold private keys and independently sign login requests. Even if a hacker were to breach the government’s database, all they would obtain is a lookup table—not enough to impersonate anyone. Cracking a billion phones’ private keys is virtually impossible and economically irrational.
This approach uses technology to seal off the possibility of large-scale data breaches. Personal data no longer leaves users’ devices, and companies no longer store any personal information—this significantly improves security.
However, from a privacy risk perspective, the concerns are equally clear. The National Login requires citizens to actively hand over their entire digital footprint—a system with very clear “Chinese characteristics.” Previously, individual platforms implemented their own sensitive-word detection systems, with the government managing online speech indirectly through these companies. But if most Chinese citizens switch to National Login, the Ministry of Public Security, as the sole owner of the mapping database, would be able to directly monitor every user’s activity online. In critical cases, revoking a certificate would be enough to make someone instantly disappear from the internet.
According to a report by CNN, Tsinghua University law professor Lao Dongyan posted on Weibo criticizing the system, saying it effectively places a surveillance device on everyone’s online behavior. The post was quickly deleted, and her account was suspended for three months for “violating relevant regulations.” Since then, no one has dared to openly criticize the system.
Outside of government efforts, tech companies are also actively working to replace traditional passwords with passkeys. One of the major highlights of Apple’s WWDC 2025 was showcasing the latest progress on passkey adoption, which will be rolled out in iOS 26 this fall. In the near future, passwords may be quietly phased out without users even noticing.
The Rise of Passkeys
Passkeys represent the lowest common denominator between Web2 and Web3. Just last week, Meta announced that passkeys would be implemented on Facebook. The Ether.fi Cash crypto payment card, which I’ve recommended, also defaults to using passkeys for signing transactions. Like National Login, passkeys also rely on public-private key mechanisms—but are so intuitive that even grandparents can use them. Passkey data is stored in your device’s password manager, and signing in is as simple as a facial scan or fingerprint tap. Every signature is unique and phishing-resistant. The older you are, the better it works. Once you try it, there’s no going back.
But the biggest challenge now is: how can we help the public transition away from passwords smoothly? At this year’s WWDC, Apple finally provided an answer. I see three major highlights:
- Passkeys prioritized in the registration process
- Automatic account upgrades to passkeys
- Secure import and export mechanisms
When registering for a new website or app, even with autofill, users typically go through multiple steps before completing the process. But in Apple’s new demo, if the system detects that the service supports passkeys, it will automatically populate the default username and email, enabling one-tap registration—shockingly fast!
Even more surprising is Apple’s approach for existing password-based accounts. They introduced a background API that automatically upgrades credentials to passkeys. As long as the website supports passkeys, the system will silently remove the old password, generate a passkey, and send a push notification. The entire process requires no user interaction. If the upgrade fails, there’s no alert—users can still log in with their password as usual. It’s a form of “gentle transition without disruption.”
Finally, one long-standing criticism of passkeys is that Apple uses them to lock users into its ecosystem—they’re device-bound and hard to transfer, making people reluctant to leave the iPhone. But this time, Apple introduced cross-platform migration support. Even if you switch to Android, you can securely move your passkeys using a new API. These three updates directly correspond to the three key user scenarios—signing up, daily usage, and device switching—paving the way for people to ditch passwords almost unconsciously.
The global consensus is clear: passwords must go. But a more pressing question remains—who should control our new digital identities? China hopes to take the lead, managing its citizens’ identities through a unified “National Login” system. The unspoken goal? Social stability. But not all governments operate like China. Taiwan’s Ministry of Digital Affairs has proposed a “Digital Wallet” that follows internationally recognized standards and a “no phone home” design—meaning no backdoor access—giving individuals true autonomy over their digital identity.
Meanwhile, tech giants like Apple use passkeys to retain users, binding digital identities to their native password managers. Meta, by contrast, has been slower to catch up—mainly because it lacks its own operating system and devices, making it difficult to offer a fully closed-loop ecosystem. While passkeys are now cross-platform and their lock-in effect is fading, most people don’t mind staying in the ecosystem they’re already in—as long as it’s convenient.
The Web3 community has long championed the principle of “not your key, not your coins.” At its core, it’s a call for reclaiming identity—identity should belong to the individual, not the government or corporations. As passwords fade and keys take the stage, different players are making their moves in this transitional moment. The real question is: Who will you trust with your keys—your government, a corporation, or yourself?
