Newsletters
Security researchers have uncovered what appears to be one of the largest data breaches in history, with 16 billion login credentials exposed across multiple datasets linked to information-stealing malware operations.
The Cybernews research team discovered 30 separate datasets containing credential information ranging from tens of millions to over 3.5 billion records each.
The exposed data spans platforms from social media sites and corporate systems to VPN services and developer portals, according to the researchers' findings.
Most of the datasets had not been previously reported, with only one exception: a database containing 184 million records that Wired magazine identified in late May. That breach represents a fraction of the total exposure documented by the research team, with the confirmed total now reaching 16 billion compromised records, making it the largest password leak in history.
The datasets were accessible through unsecured Elasticsearch and object storage instances, though researchers say the exposure windows were brief. New massive collections continue to emerge every few weeks, highlighting how widespread credential-stealing malware has become.
Experts say the nature of the exposed data makes this breach far more dangerous than previous incidents.
"This is not just a leak—it's a blueprint for mass exploitation," researchers told Forbes. "With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing. What's especially concerning is the structure and recency of these datasets—these aren't just old breaches being recycled. This is fresh, weaponizable intelligence at scale."
The exposed information follows a consistent pattern typical of infostealer malware: website URLs paired with usernames and passwords. The compromised accounts span major platforms including Apple, Facebook, Google, GitHub, Telegram,, and various government services.
Dataset sizes varied significantly, from the smallest containing over 16 million records to the largest with more than 3.5 billion entries. The average dataset contained approximately 550 million records. Some collections appeared to target specific regions or languages, with one large dataset apparently focused on Portuguese-speaking users and another indicating Russian origins.
Due to overlapping records across datasets, researchers cannot determine the exact number of unique individuals or accounts affected. The data appears to combine information from stealer malware, credential stuffing operations and repackaged previous breaches.
"The inclusion of both old and recent infostealer logs—often with tokens, cookies, and metadata—makes this data particularly dangerous for organizations lacking multi-factor authentication or credential hygiene practices," the research team said.
Independent confirmations by Forbes and The Independent have verified the severity and scope of the leak, citing the same 30 datasets and a total of 16 billion compromised credentials.
Unlike previous leaks that compiled older breach data, the vast majority of these credentials had not been reported before.
Researchers emphasized that the credentials are not limited to outdated platforms or obscure sites. Instead, they contain login information for “pretty much any online service imaginable,” including Apple, Facebook, Google, GitHub, Telegram, and government systems.
The exposed data is structured and ready for use in phishing attacks, account takeovers, ransomware, and business email compromise (BEC) operations.
While the researchers have not identified any individual or group responsible for the leak, the unprecedented scale and political timing of the breach have triggered a wave of speculation across cybersecurity circles and online forums.
Researchers at Cybernews have not attributed the breach to any state or criminal group, emphasizing that the available datasets contain signs of both stealer malware and credential repackaging. Until more forensic evidence is available, the true source of the breach remains unknown.
In an uncommon public response, Google has advised its global user base to update passwords immediately, especially where reused credentials may be in circulation. The FBI has issued SMS phishing alerts, warning U.S. citizens not to interact with suspicious messages or links.
These official responses reflect the magnitude of the exposure. While the databases were exposed only for a short period, the implications are long-lasting, particularly if malicious actors have already downloaded and redistributed the information.
Cybersecurity professionals are urging both individuals and organizations to take concrete steps. Darren Guccione, CEO of Keeper Security, warned that misconfigured cloud storage and the lack of privileged access control could expose sensitive data long before anyone notices. He called for the adoption of zero-trust security models, as well as dark web monitoring tools that can alert users if their credentials are circulating online.
“People need to remain vigilant and mindful of any attempts to steal login credentials,” said Javvad Malik of KnowBe4 to Forbes. Experts recommend using unique, complex passwords, enabling multi-factor authentication, and switching to passkeys where supported.
According to Guccione, consumers can no longer rely on basic password practices: “The fact that the credentials in question are of high value for widely used services carries with it far-reaching implications.”
The identity of those controlling the exposed datasets remains unknown. While some collections could belong to security researchers monitoring data breaches, investigators believe cybercriminals likely control at least some of the information.
The scale of the exposure enables various attack methods, including phishing campaigns, account takeovers, ransomware operations and business email compromise schemes. Even low success rates could affect millions of users when applied to datasets of this magnitude.
Security experts recommend that users implement strong, frequently updated passwords and enable multi-factor authentication where available. Organizations should also scan systems for infostealer malware that could compromise employee credentials.
The discovery underscores the growing threat posed by credential-stealing malware and the massive underground economy built around harvested login information.
1 min read
