A massive trove of stolen usernames and passwords totalling 16 billion records has been discovered across 30 newly uncovered databases, revealing one of the largest and most dangerous credential breaches ever recorded.
Two Login Credentials for Every Person on Earth
Security researchers at Cybernews have uncovered an unprecedented cache of login data scattered across unsecured web databases. These exposed collections, some open to the internet only briefly, were mostly hosted on misconfigured Elasticsearch instances or cloud object storage services, making them accessible without authentication.
All but one of the 30 datasets involved in the breach had not been reported previously. Combined, they include roughly two login credentials for every person on Earth!
A Blueprint For Mass Exploitation
“This is not just a leak – it’s a blueprint for mass exploitation,” said the Cybernews team, who have been tracking the breach since early 2024. “The structure and recency of these datasets make them particularly dangerous.”
From Apple, Google, Facebook, and More
While large-scale data breaches have become disturbingly common, this incident stands out for the freshness of the data and the scope of what’s included. For example, Cybernews has reported that the breach includes login credentials drawn from a huge range of services including Apple, Google, Facebook, GitHub, Telegram, VPNs, and even government portals.
More Than Just Usernames and Passwords
The datasets primarily consist of credentials stolen by infostealers, i.e. a type of malicious software designed to extract sensitive information from infected computers. Once installed (often via phishing emails, fake software updates, or pirated software), infostealers scan the victim’s device for stored logins, cookies, authentication tokens, and autofill data. These details are then quietly sent back to attackers’ servers.
In most cases, Cybernews reports that the stolen data is structured in a familiar format, i.e. the website URL, the username or email address, and the associated password. Some records are reported to include extra metadata, such as session cookies or two-factor authentication tokens, which can significantly aid attackers in bypassing security protections.
Cybernews estimates that some overlap exists between datasets, but even conservative estimates suggest billions of distinct login records are involved. The largest single collection, linked to a Portuguese-speaking population, holds over 3.5 billion records. Others are named generically (such as “logins” or “credentials”) while some reference specific services like Telegram or locations such as the Russian Federation.
Who’s Behind It and Who’s Affected?
It appears that the origin of these leaked datasets remains murky. Although some may have been compiled by cybercriminals intent on launching mass-scale phishing or credential stuffing attacks, others could belong to grey-hat researchers, aggregating leaked data for academic or threat intelligence purposes. However, it should be noted that the absence of clear attribution makes them no less dangerous.
Cybersecurity experts have warned that even if only a fraction of the 16 billion records are actively exploited, the consequences could be severe. Identity theft, business email compromise (BEC), unauthorised access to cloud services, ransomware attacks, and financial fraud are all plausible next steps.
A significant concern is that many users still reuse the same password across multiple sites (known as ‘password sharing’). Attackers often employ credential stuffing, a tactic that involves testing stolen username/password pairs against a wide range of sites, hoping users have reused credentials elsewhere.
The impact is not likely to be just limited to individual consumers. Businesses, particularly those lacking multi-factor authentication (MFA) or modern password management protocols, are at risk of full-scale account takeovers. These in turn could lead to data theft, service disruption, or reputational damage.
What Tech Companies and Security Experts Are Saying
So far, most affected companies have not issued individual statements, probably because the breach is not tied to a specific platform or service – the leak is an aggregation of credentials siphoned off via malware over time.
However, the Cybernews team and other researchers have voiced serious concern. “Credential leaks at this scale are fuel for phishing campaigns, ransomware intrusions, and business email compromise,” the team said in its public briefing. “The inclusion of both old and recent infostealer logs – often with tokens, cookies, and metadata – makes this data particularly dangerous for organisations lacking multi-factor authentication or credential hygiene practices.”
Security vendor Malwarebytes described the incident as “a wake-up call” for both users and companies. “This is a stark reminder that infostealer malware remains an enormous threat and that misconfigured cloud services continue to expose sensitive data at scale.”
More of a ‘Combolist’
Some experts have cautioned against treating the breach as a single event, noting that it is better understood as a massive combolist, i.e., a curated aggregation of multiple smaller leaks. Even so, the potential for harm remains high.
Why This Breach Is Different and What Comes Next
Unlike older breaches which often contain outdated or previously exposed data, these records are mostly new. Only one of the 30 datasets had been reported before (a 184 million-entry trove covered by Wired in May). The rest have emerged only recently, some in the last few weeks, suggesting that infostealer activity is ongoing and highly active.
Not Indexed Yet
At the moment (it’s still early days since the discovery), compounding the risk is the lack of visibility. Many of the exposed credentials have not yet been indexed by breach monitoring services or browser alert systems, meaning users aren’t being automatically notified if their details are among those leaked.
Also, because the databases were reportedly only briefly exposed, researchers say they could not determine who held or uploaded the data, nor whether it has already been downloaded or traded on criminal forums.
What Should Users and Businesses Do Now?
For individual users, the recommendations are fairly straightforward but urgent and they probably echo most of the points of security good practice around breaches. For example:
– Immediately change passwords on any accounts using duplicated or weak credentials.
– Use a password manager to generate and store complex, unique passwords for every service.
– Enable multi-factor authentication (MFA) wherever possible.
– Monitor for phishing emails or unusual account activity, especially logins from unfamiliar locations or devices.
– Run antivirus and anti-malware tools to scan for potential infostealers on your system.
For businesses, the stakes are higher. Implementing stronger access controls, requiring MFA across all services, and deploying endpoint detection tools are worthwhile steps. Regular audits of privileged access accounts, secure cloud configurations, and employee training on phishing threats are also essential.
Experts also recommend checking employee and corporate credentials against breach monitoring services such as Have I Been Pwned or Cybernews’ Leaked Database Checker.
Could Big Tech Be Doing More?
Looking at where many of these stolen credentials came from, it’s perhaps not surprising that there is growing pressure on tech platforms to go beyond offering MFA as an optional feature. Some experts are calling for default-on MFA policies, improved session token management, and better user alerts for credential misuse. Others suggest that browser makers could more aggressively warn users about unsafe passwords, even when stored locally.
Cloud service providers also face scrutiny. For example, misconfigured storage services remain a recurring source of data exposure and security researchers have long warned that businesses often fail to understand the shared responsibility model of cloud hosting, which places the burden of securing customer data squarely on the organisation using the service, not the cloud provider itself.
Combined for Weaponisation
This breach essentially demonstrates how aggregated, seemingly disparate data leaks can combine to form a vast, weaponisable archive of credentials. Also, without rapid, coordinated responses from users, businesses, and tech providers alike, the consequences may stretch far beyond compromised passwords.
What Does This Mean For Your Business?
The sheer scale and structure of this breach underline how fragile the global system of digital identity has become. With 16 billion credentials exposed, many of them recent, unrecycled, and complete with cookies and tokens, the barrier to entry for cybercriminals appears to have been lowered dramatically. This isn’t just an escalation in volume, it’s a shift in the quality and usability of stolen data. For attackers, this is a ready-made toolkit for highly convincing phishing, large-scale account takeover attempts, and social engineering operations that could target everyone from individual users to senior staff within high-profile organisations.
For UK businesses, the risks are not theoretical. Any organisation with staff using shared or recycled passwords, without enforced multi-factor authentication, could find themselves an easy target. For example, compromised employee accounts can quickly open doors to sensitive systems, intellectual property, financial accounts or customer data. The consequences are likely to include financial loss, regulatory penalties, and long-term reputational damage. This is especially pressing for sectors handling critical infrastructure or customer data, such as healthcare, education, local government and law firms.
The fact that so many of the datasets were discovered in misconfigured online storage shows how easily even vast amounts of sensitive information can be left vulnerable. This again raises questions about internal security practices, not just among cybercriminals, but among businesses and developers failing to properly secure cloud environments. As more breaches emerge from poor cloud hygiene, regulators may well move to demand greater accountability and oversight from cloud service providers and their clients.
For security professionals and digital privacy advocates, this breach reinforces the need to accelerate the move away from passwords altogether. Passkey adoption, hardware-based authentication, and biometric alternatives are already gaining traction, but the pace remains slow. Meanwhile, tools such as credential stuffing bots and AI-enhanced phishing make password-only systems increasingly outdated and risky.
The discovery also points to a deeper issue around breach notification and public awareness. Because these credentials were collected silently through infostealers and surfaced only when aggregated by researchers, the victims (both users and the platforms their data was stolen from) may have no idea they were compromised. With no clear breach event to attribute, many companies are, therefore, unlikely to report or even detect the loss. This leaves users exposed and unprepared, and it puts the onus on breach checkers and independent researchers to close the gap.
This incident serves as a stark reminder that security needs to be proactive, not reactive. Businesses should no longer view breaches as isolated events but as part of an ongoing data extraction economy that thrives on delay, misconfiguration and user complacency. Whether you’re a multinational tech firm, a regional employer, or an individual internet user, the threat landscape has shifted again and this time, the scale is difficult to ignore.
