A new report has uncovered a staggering 16 billion login credentials from major platforms, including Apple, Facebook, Google, GitHub, Telegram, and government services.
The massive leak, discovered through 30 separate datasets, represents an unprecedented threat to global cybersecurity and digital privacy.
The exposed datasets vary dramatically in size, with the smallest containing over 16 million records and the largest housing more than 3.5 billion credentials.
On average, each dataset contained approximately 550 million records, creating what researchers describe as “a blueprint for mass exploitation.”
The data structure follows a consistent pattern typical of infostealer malware, consisting of URL, username, and password combinations, often accompanied by authentication tokens, session cookies, and metadata.
Most datasets were temporarily accessible through unsecured Elasticsearch instances and object storage configurations before being secured, Cybernews stated.
Leaked from 320 million computers, But Not a New One!
Regarding this report, Alon Gal, CTO at Hudson Rock, added in a post that an average infected computer has around 50 sets of credentials. Given that there are 16 billion credentials, this would suggest that 320 million computers have been infected by infostealers. However, this claim is simply not true, regardless of how one might interpret the numbers.
“The leak is likely the result of a combination of legacy Infostealer credentials, data from older database leaks, and fabricated entries, similar to the ALIEN TXTBASE leak. For instance, the leaked information could include actual lines with slight variations in passwords or logins that can be used for brute-force attacks,” he added.
Some datasets were named generically as “logins” or “credentials,” while others bore specific geographical or service-related identifiers, including one with over 455 million records linked to Russian Federation origins and another containing 60 million Telegram-related credentials.
The exposed data creates significant opportunities for credential stuffing attacks, account takeover schemes, and business email compromise (BEC) operations.
It appears that the breaches in question are not recent developments; rather, they have been available on the dark web for an extended period as parts. These compilations have been aggregated and subsequently exposed on the internet.
Cybercriminals can leverage these massive datasets to execute phishing campaigns with unprecedented precision, using legitimate login credentials to bypass basic security measures.
The presence of authentication tokens and session cookies in many records amplifies the threat, potentially enabling immediate access to active user sessions without requiring password verification.
The structured nature of the data makes it particularly valuable for ransomware intrusions and identity theft operations.
With success rates of less than one percent still potentially affecting millions of users, the scale of this exposure represents a fundamental shift in the cyberthreat landscape.
Organizations lacking robust multi-factor authentication (MFA) implementations and comprehensive credential hygiene practices face a higher risk of compromise.
It is recommended to implement strong password policies, rotate credentials frequently, and conduct comprehensive system scans for infostealer malware.
Users should enable multi-factor authentication (MFA) across all accounts and monitor for suspicious activity indicators. Organizations must prioritize endpoint detection and response (EDR) solutions to identify and neutralize infostealer infections before credentials can be harvested.
This breach highlights the crucial importance of proactive cybersecurity measures in an era where credential theft has become increasingly industrialized.
As new massive datasets continue emerging every few weeks, the cybersecurity community faces an ongoing challenge to protect against increasingly sophisticated and large-scale credential harvesting operations.
How to Protect Yourself
Lock Down Your Devices: Infostealers sneak in through outdated software or weak devices. Use tools like Microsoft Defender or CrowdStrike to spot and stop shady activity, like keylogging or stealing passwords.
Keep all your systems, apps, and firmware updated with the latest patches to plug security holes. Also, set up application whitelisting to block unauthorized programs and turn off Office macros unless you really need them.
Beef Up Logins: Infostealers love stealing passwords to dig deeper into your systems. Make multi-factor authentication (MFA) a must for all accounts, especially important ones like admin or VPN access. Use strong, unique passwords with a password manager and limit who can access sensitive stuff. If a leak happens, reset passwords, kill active sessions, and watch for weird login attempts using tools like Splunk.
Watch Your Network: Infostealers send stolen data over the internet. Use firewalls, intrusion detection, and data loss prevention (DLP) tools like Symantec to catch and block unauthorized transfers. DNS filtering and network segmentation can stop malware from phoning home or spreading.
Stay Ready to Respond: Spot threats fast with SIEM and behavior analytics. If hit, investigate with tools like Volatility, isolate infected devices, and restore from clean backups. Have a NIST-aligned response plan and test it regularly.
Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
