In what may be the largest data leak ever recorded, about 16 billion users’ login credentials were leaked, according to security researchers. Reports suggest that the breach spans 30 separate datasets, each containing tens of millions to over 3.5 billion records. The leaked information includes URLs paired with usernames and passwords for a wide range of high-profile services like Apple, Google, Facebook, GitHub, Telegram, and even government portals.
Beware, the next wave of online crimes is coming
Discovered first by Cybernews and flagged by Forbes, the data shows that it isn’t just old, rehashed information; rather, it is more recent, neatly organized, and was likely stolen by a type of malware called an “infostealer,” which secretly collects usernames and passwords from infected devices.
Each entry is simple and includes a website link, a username, and a password, making it incredibly easy for hackers to use this information. Researchers warned that the data is “a blueprint for mass exploitation,” fueling personalized phishing, account takeovers, identity theft, and ransomware or business email compromise (BEC) attacks.
Immediate user actions recommended
Although the exposed datasets were only briefly accessible via unsecured servers or misconfigured cloud storage, it’s unclear whether and how cybercriminals obtained them. The infosteal malware is still active, and new datasets are surfacing every few weeks. As Cybernews puts it: “The next dataset may already be out there.”
Security experts are urging everyone to take action right away. They recommend using a password manager, avoiding the use of the same password on different websites, and turning on multi-factor authentication (MFA) or switching to passkeys for stronger protection. Keep an eye out for any signs that are likely to indicate that your accounts might be hacked. Experts have also warned that this leak could lead to more phishing scams and stolen accounts in the near future.
