16 billion passwords exposed in record-breaking data breach: what does it mean for you?

Several collections of login credentials reveal one of the largest data breaches in history, totaling a humongous 16 billion exposed login credentials. The data most likely originates from various infostealers.

This research, based on unique Cybernews findings and originally published on the website on June 18, is constantly being updated with clarifications and additional information in response to public discourse. The most recent version of the article features comments from Cybernews researcher Aras Nazarovas and Bob Diachenko who unveiled this recent data leak. We explained how hackers can use and exploit stolen passwords. We've also added a few screenshots as proof of the leak.

Holding onto huge amounts of sensitive data, even without any clear harmful intent, can be just as risky as flat-out stealing it. When the Cybernews research team took a closer look, they uncovered massive stashes of exposed information packed with billions of login details. Social media accounts, corporate tools, VPNs, developer platforms—you name it, it was in there. It really seemed like nothing had been left out.

Since the start of the year, our team has been keeping a close eye on what’s floating around online. So far, they’ve found 30 different exposed datasets, each containing anywhere from tens of millions to more than 3.5 billion records. Altogether, they uncovered an overwhelming 16 billion credentials.

Out of everything we found, just one of the datasets had been mentioned before. In late May, Wired reported on a researcher who stumbled upon a “mysterious database” with about 184 million records. That sounds like a lot, but it barely cracks the surface of what we uncovered. Even more concerning, researchers say new massive leaks are still surfacing every few weeks, which shows just how widespread and active infostealer malware really is.

“This is not just a leak – it’s a blueprint for mass exploitation. With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing. What’s especially concerning is the structure and recency of these datasets – these aren’t just old breaches being recycled. This is fresh, weaponizable intelligence at scale,” researchers said.

The only silver lining here is that all of the datasets were exposed only briefly: long enough for researchers to uncover them, but not long enough to find who was controlling vast amounts of data. Most of the datasets were temporarily accessible through unsecured Elasticsearch or object storage instances.

What kind of records were leaked?

Researchers say most of the leaked data comes from a mix of infostealer malware, credential stuffing sets, and recycled old leaks.

There’s no reliable way to cross-check all the datasets, so there’s definitely some overlap. Bottom line is, we can’t know exactly how many unique accounts were exposed, but it’s likely a lot of the same data is showing up more than once.

However, the information that the team managed to gather revealed that most of the information followed a clear structure: URL, followed by login details and a password. Most modern infostealers – malicious software stealing sensitive information – collect data in exactly this way.

The leaked data includes login info for just about every online service you can think of. We're talking Apple, Facebook, Google, GitHub, Telegram, and even government platforms. With 16 billion records floating around, it's safe to say almost nothing was left out.

Researchers say leaks this big can lead to all kinds of trouble, from phishing scams and account takeovers to ransomware attacks and business email compromise (BEC).

“The inclusion of both old and recent infostealer logs – often with tokens, cookies, and metadata – makes this data particularly dangerous for organizations lacking multi-factor authentication or credential hygiene practices,” the team said.

Which dataset exposed billions of passwords?

The team came across datasets of all different sizes. One of the smaller ones, named after a type of malware, had over 16 million records. The largest one, probably linked to Portuguese-speaking users, contained more than 3.5 billion. Overall, each batch of leaked credentials averaged about 550 million records.

Some of the datasets were named generically, such as “logins,” “credentials,” and similar terms, preventing the team from getting a better understanding of what they contain. Others, however, hinted at the services they’re related to.

For example, one dataset with over 455 million records was named to indicate its origins in the Russian Federation. Another dataset, with over 60 million records, was named after Telegram, a cloud-based instant messaging platform.

“The inclusion of both old and recent infostealer logs – often with tokens, cookies, and metadata – makes this data particularly dangerous for organizations lacking multi-factor authentication or credential hygiene practices,”

the team said.

It’s hard to say exactly where the data came from just by looking at the names, but some of it appears to involve cloud services, business-related info, and even files that were previously locked. A few of the dataset names also hint at malware being used to gather the data.

No one really knows who put all this leaked information together. It might be security researchers collecting it to monitor breaches, but it’s almost certain that some of it came from cybercriminals. Hackers love having huge collections of stolen data because it makes it easier for them to launch phishing attacks, steal identities, and break into accounts.

A success rate of less than a percent can open doors to millions of individuals, who can be tricked into revealing more sensitive details, such as financial accounts. Worryingly, since it's unclear who owns the exposed datasets, there’s little impact users can do to protect themselves.

However, basic cyber hygiene is essential. Using a password manager to generate strong, unique passwords, and updating them regularly, can be the difference between a safe account and stolen details. Users should also review their systems for infostealers, to avoid losing their data to attackers.

Facebook, Google, and Apple passwords weren’t leaked. Or were they?

With a dataset containing 16 billion passwords, that’s equivalent to two leaked accounts for every person on the planet.

It’s hard to say exactly how many duplicates are floating around since the leak pulls from a bunch of different datasets. Some news stories have made it sound like Facebook, Google, and Apple logins were definitely part of the leak. While we can’t rule that out completely, we think those claims might be a bit overblown.

Bob Diachenko, a Cybernews contributor, cybersecurity researcher, and owner of SecurityDiscovery.com, is behind this recent major discovery.

“There was no centralized data breach at any of these companies,” Diachenko said when I asked him to clarify whether any of the datasets actually came from Facebook, Google, or Apple.

However, that doesn’t mean that none of the logins were breached and leaked to the dark web.

“Credentials we’ve seen in infostealer logs contained login URLs to Apple, Facebook, and Google login pages,” Diachenko said.

So, as mentioned above, this means that the leaked information opens the doors to pretty much any online service imaginable.

As per popular request, we are sharing a few screenshots as proof that such datasets exist. Below, you can see that they actually include URLs to Facebook, Google, Github, Zoom, Twitch, and other login pages.

16-billion-record data breach signals a shift in the Dark Web market

According to Cybernews researcher Aras Nazarovas, this discovery might signal that criminals are abandoning previously popular methods of obtaining stolen data.

"The increased number of exposed infostealer datasets in the form of centralized, traditional databases, like the ones found be the Cybernews research team, may be a sign, that cybercriminals are actively shifting from previously popular alternatives such as Telegram groups, which were previously the go-to place for obtaining data collected by infostealer malware," Nazarovas said.

He regularly works with exposed datasets, ensuring that defenders secure them before threat actors can access them.

Here’s what Nazarovas suggests you should do to protect yourself if your passwords were leaked.

"Some of the exposed datasets included information such as cookies and session tokens, which makes the mitigation of such exposure more difficult. These cookies can often be used to bypass 2FA methods, and not all services reset these cookies after changing the account password. Best bet in this case is to change your passwords, enable 2FA, if it is not yet enabled, closely monitor your accounts, and contact customer support if suspicious activity is detected."

Billions of records exposed online: recent leaks involve WeChat, Alipay

Major data leaks, with billions of exposed records, have become nearly ubiquitous. Last week, Cybernews wrote about what is likely the biggest data leak to ever hit China, billions of documents with financial data, WeChat and Alipay details, as well as other sensitive personal data.

Last summer, the largest password compilation with nearly ten billion unique passwords, RockYou2024, was leaked on a popular hacking forum. In 2021, a similar compilation with over 8 billion records was leaked online.

In early 2024, the Cybernews research team discovered what is likely still the largest data leak ever: the Mother of All Breaches (MOAB), with a mind-boggling 26 billion records.

16 billion passwords exposed: know how to secure yourself

Huge datasets of passwords spill onto the dark web all the time, highlighting the need to change them regularly. This also demonstrates just how weak our passwords still are.

Last year, someone leaked the largest password compilation ever, with nearly ten billion unique passwords published online. Such leaks pose severe threats to people who are prone to reusing passwords.

• Even if you think you are immune to this or other leaks, go and reset your passwords just in case.
• Select strong, unique passwords that are not reused across multiple platforms
• Enable multi-factor authentication (MFA) wherever possible
• Closely monitor your accounts
• Contact customer support in case of any suspicious activity

What can data threats do with your passwords?

If your passwords ever get leaked, the damage can go way beyond just one account. Hackers can use that info to mess with your life in all kinds of ways. In the worst cases, they can even take over your digital identity. Once someone gets into your email, for example, they can reset passwords for other accounts and gain access to pretty much everything.

Here’s how that can play out:

Hold your account hostage.
A hacker can log in and lock you out by changing your password and recovery info. Sometimes, they’ll even demand money to give it back, all while using your account to send spam or do shady stuff without you noticing.

Use your identity for malicious activity.
If they get into your bank or anything personal, they can pretend to be you. That could mean emptying your accounts, making sketchy purchases, or digging into your private info.

Send convincing phishing messages to your contacts.
Using details from your accounts, hackers can put together emails or texts that look totally real. They might trick you—or your friends—into clicking a link or giving away even more info.

Attempt to use your password on other accounts.
If you have a habit of reusing passwords, they’ll try the same one on other sites. It’s called password spraying, and it works more often than you think.

Track your online activity.
If they gain access to your browser, email, or Google account, they can view your search history, track your habits, and learn even more about you.

Steal and sell your personal information.
Even if they don’t take over the account permanently, they can still grab whatever’s inside: documents, credit card info, personal notes, anything you’ve saved there and attempt to sell it in the black market.

The Dark Web: what is it?

The Dark Web is a hidden corner of the internet that doesn’t show up in regular search engines like Google. You need special tools like the Tor browser to access it. Browsing the Dark Web itself isn’t illegal, but since it keeps users anonymous, it’s often linked to all kinds of shady activities.

When threat actors acquire data from breaches, things like usernames, passwords, credit card details, or even personal IDs sometimes end up on the Dark Web. Cybercriminals use it as a marketplace to buy, sell, or trade this stolen information. This makes the Dark Web a hotspot for identity theft, fraud, and attacks that try stolen passwords on multiple sites.

Because the Dark Web is hard for authorities to monitor, stolen data can keep circulating there long after the breach has happened. That’s why it’s so important to protect your accounts and keep an eye on where your information might be floating around.

Further community discussion

No, we didn’t expect the hype when we were writing the article. Data breaches and even the biggest-ever data leaks, unfortunately, have become somewhat mundane, and people don’t seem to care that much.

These findings are interesting, though, for multiple reasons. First of all, the collection of datasets shows the scale of the problem — billions and billions of passwords and trillions of records, including very private medical, location, and financial data, spill online every day.

Is privacy dead?

Maybe not, but we certainly need to pressure companies holding our data to protect it properly. They often don’t, as we stumble upon treasure troves of “accidentally” unprotected data almost every day.

So we’re not exaggerating this — if anything, we aren’t doing enough as journalists and users to hold those companies accountable by putting them in the spotlight.

“Start holding the data holders accountable, and I bet these leaks and hacks start getting a lot less frequent. Now it only hurts whoevers PR if they get hacked, start making them fiscally responsible or criminally responsible, and they'll secure our info much better,” one Redditor said.

There’s another interesting aspect to this topic. It is a fact that all information comes from infostealers, an incredibly prevalent threat.

According to the Israeli cybersecurity firm, Hudson Rock, when using infostealers, hackers don’t need to brute-force their way into networks. Instead, they wait for users to slip up and download malicious code in the form of pirated software, infected PDFs, a game mode, or other malware.

Infostealers then “exfiltrate everything,” including VPN credentials, authentication session cookies, email logins, internal development tools, stored documents, browsing history, and autofill data.

What are Passkeys and how they secure your accounts?

Passkeys are a newer, more secure way to log into your accounts, and they’re slowly replacing traditional passwords. Instead of remembering a string of letters and numbers, your device handles the login for you using a built-in security method. Behind the scenes, it uses two digital “keys”, one stays with the website or app, while the other is kept safely on your device. When it’s time to log in, your device confirms it has the matching key without actually sharing it. The whole process is quick, often done with a fingerprint or face scan, and it’s a lot harder for hackers to mess with.

Think of it like a secret handshake. The website knows its part of the handshake, and your phone knows the other part. When you try to log in, your phone does the handshake in the background. If it matches, you're in. If not, access is denied, and the best part is, no one else ever sees the handshake or can copy it.

Passkeys help fix a bunch of issues that make passwords such a hassle:

• You can’t reuse them across sites, so one leak doesn’t put your other accounts at risk.
• Passkeys are auto-generated, so they’re difficult to guess
• Since there’s nothing to type, phishing sites can’t trick you into handing anything over.
• Even if a site gets hacked, the private part of your passkey stays on your device, untouched.
• You don’t have to remember or manage anything, it all syncs across your devices quietly.

Big names like Apple, Google, and Microsoft are already on board, and it’s looking more and more like passkeys will become the new normal for logging in without the stress.

What are infostealers?

Infostealers are a type of malware that quietly sneaks onto your device and digs through your personal data. They don’t lock your screen or slow things down like some other threats. Instead, they stay hidden and pull out whatever they can find, things like saved passwords, autofill details, browser cookies, credit card numbers, and even access to crypto wallets.

These things usually end up on your device after clicking on something sketchy, downloading a fake program, or opening a shady email attachment. Once they’ve settled in, they move fast. Your data gets scooped up and sent off to whoever’s behind the attack, often without you ever knowing it happened. Some of them are clever enough to delete themselves afterward, so you might not even realize anything happened.

What makes it worse is how easy they are to get. Anyone can buy or rent an infostealer on dark web forums, no tech skills needed. Tools like RedLine, Raccoon, and Vidar are all over the place and have been used in some massive data breaches recently, including some tied to Snowflake in 2024 and 2025.

And they’re not just a problem for Windows users anymore. This isn’t just a Windows problem, some of these things are made to hit macOS and even Android devices too, so no one’s really off the hook.

Why should you care? Because once someone gets hold of your personal info, they can use it for all kinds of nasty stuff like phishing, stealing your identity, or just breaking into your accounts. And the worst part? Infostealers don’t make a lot of noise. They slip in, grab your data, and disappear before you even notice.

That’s why it’s a good idea to be careful with what you click or download, always have two-factor authentication on, and stick to a reliable password manager to protect your logins.

In our most recent podcast, we interviewed the world's #1 ethical hacker, founder of cybersecurity technology platform pentester.com, Ryan Montgomery. We spent a significant amount of time discussing infostealers, among other things. Tune in to learn more.

How to protect yourself from infostealing malware

To keep yourself safe from infostealers, it’s important to be proactive and take some simple but crucial precautions. A few smart habits and tools can go a long way in protecting your personal data and making it much harder for threat actors to get a hold of it.

• Use a VPN when you’re on public Wi-Fi. It will help keep your connection secure and private.
• Make sure your antivirus software is up to date so it can catch the latest threats.
• Be careful about clicking on links or downloading attachments from emails or messages you weren’t expecting or don’t trust.
• Keep your apps and operating systems updated on all devices since updates often include important security fixes.
• Use strong and most importantly unique passwords for each one of your accounts.
• Turn on two-factor authentication (2FA) whenever it’s available for an extra layer of authentication.
• Only download apps and software from official stores or trusted websites to avoid fake or infected versions.

Follow these tips and you’ll make it a lot harder for attackers to steal your info. Staying cautious and keeping your devices secure is the best defense.

FAQ about the 16 billion password data leak

Recent updates

🟢 [06-20 09:37 GMT] Added expert insight from Bob Diachenko, who confirmed there was no centralized breach, but noted that credentials tied to services like Google and Facebook were found in the leak Added a Bob Diachenko's expert opinion.

🟢 [06-20 12:42 GMT] Added a few screenshots as proof that the exposed data includes pathways to popular services, such as Facebook, Apple, Github, and Google, among others.

🟢 [06-20 14:00 GMT] Added another screenshot as proof. Updated with context information on how to protect yourself.

🟢 [06-20 15:06 GMT] Updated with additional information about infostealers and where to find more information and discussion on this topic.

🟢 [06-21 12:02 GMT] Updated with the FAQ section.

🟢 [06-23 07:23 GMT] Added a section explaining how hackers can exploit leaked passwords.

🟢 [06-23 13:10 GMT] Updated with a section explaining what the Dark Web is, helping readers better understand where leaked data often ends up after a breach.

🟢 [06-25 08:10 GMT] Updated with a section explaining how do passkeys help with securing accounts.

🟢 [06-25 14:13 GMT] Added a section explaining what infostealers are, how they operate and why you should be vary of them

🟢 [06-25 07:46 GMT] Updated the article with a section on how to protect yourself from infostealer malware.