Newsletters
Security researchers have uncovered what appears to be one of the largest data breaches in history, with 16 billion login credentials exposed across multiple datasets linked to information-stealing malware operations.
The Cybernews research team discovered 30 separate datasets containing credential information ranging from tens of millions to over 3.5 billion records each. The exposed data spans platforms from social media sites and corporate systems to VPN services and developer portals, according to the researchers' findings.
Most of the datasets had not been previously reported, with only one exception: a database containing 184 million records that Wired magazine identified in late May. That breach represents a fraction of the total exposure documented by the research team.
The datasets were accessible through unsecured Elasticsearch and object storage instances, though researchers say the exposure windows were brief. New massive collections continue to emerge every few weeks, highlighting the prevalence of credential-stealing malware operations.
"This is not just a leak – it's a blueprint for mass exploitation," researchers said. "With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing. What's especially concerning is the structure and recency of these datasets – these aren't just old breaches being recycled. This is fresh, weaponizable intelligence at scale."
The exposed information follows a consistent pattern typical of infostealer malware: website URLs paired with usernames and passwords. The compromised accounts span major platforms including Apple, Facebook, Google, GitHub, Telegram and various government services.
Dataset sizes varied significantly, from the smallest containing over 16 million records to the largest with more than 3.5 billion entries. The average dataset contained approximately 550 million records. Some collections appeared to target specific regions or languages, with one large dataset apparently focused on Portuguese-speaking users and another indicating Russian origins.
Due to overlapping records across datasets, researchers cannot determine the exact number of unique individuals or accounts affected. The data appears to combine information from stealer malware, credential stuffing operations and repackaged previous breaches.
"The inclusion of both old and recent infostealer logs – often with tokens, cookies, and metadata – makes this data particularly dangerous for organizations lacking multi-factor authentication or credential hygiene practices," the research team said.
The identity of those controlling the exposed datasets remains unknown. While some collections could belong to security researchers monitoring data breaches, investigators believe cybercriminals likely control at least some of the information.
The scale of the exposure enables various attack methods including phishing campaigns, account takeovers, ransomware operations and business email compromise schemes. Even low success rates could affect millions of users when applied to datasets of this magnitude.
Security experts recommend users implement strong, frequently updated passwords and enable multi-factor authentication where available. Organizations should also scan systems for infostealer malware that could compromise employee credentials.
The discovery underscores the growing threat posed by credential-stealing malware and the massive underground economy built around harvested login information.
1 min read
2 min read
