Multiple collections of login credentials have exposed one of the largest data breaches in history, with approximately 16 billion credentials leaked. These data likely come from various types of infostealers used by cybercriminals.
This story, based on unique findings from Cybernews and published on June 18, is constantly updated. It includes clarifications and new details in response to public interest. The latest version features comments from Cybernews researcher Aras Nazarovas and Bob Diachenko, who uncovered this recent leak. We’ve also added some screenshots as proof.
Collecting sensitive data unnecessarily can be just as harmful as stealing it. Cybernews researchers found an enormous number of large datasets containing billions of login credentials. These come from a wide range of sources, including social media, corporate platforms, VPNs, and developer portals—all thoroughly examined.
Since the start of this year, our team has been closely monitoring the web. They have discovered 30 datasets exposed online, each containing from tens of millions up to over 3.5 billion records. All combined, the total number of exposed records hits roughly 16 billion.
Only one of these datasets had been reported before. In late May, Wired mentioned a security researcher who found a “mysterious database” with 184 million records. That is tiny compared to the other datasets uncovered. Most concerning, though, is that new large datasets appear every few weeks. This shows how common infostealer malware really is.
This isn’t just a leak; it could enable mass exploitation. With more than 16 billion login records exposed, cybercriminals gain access to a vast pool of personal credentials. These can be used for account hijacking, identity theft, or targeted phishing attacks. What is alarming is that these datasets are recent and well-structured. They are not just old breaches recycled. Instead, they offer fresh, usable information.
The good news is that all datasets were exposed only for a short time. Researchers found them quickly, but they didn’t stay accessible long enough for anyone to identify who controlled the data. Most of them were exposed through unsecured Elasticsearch or object storage servers.
Researchers say most of the data comes from different sources—malware stealers, credential stuffing, and leaks repackaged from other breaches. Comparing datasets is difficult, but overlaps are clear. It is impossible to tell exactly how many people or accounts were exposed.
What dataset exposed billions of credentials?
Still, the data collected shows a pattern. Most records follow a simple format: URL, login details, and passwords. This is standard for modern infostealers, which are designed to gather data in this way.
The datasets vary widely. The smallest one, named after malicious software, has over 16 million records. The largest one, related to Portuguese-speaking users, has over 3.5 billion records. On average, each dataset contains about 550 million records.
Some datasets have generic names like “logins” or “credentials,” making it harder to know what they include. Others reveal the service they relate to. For example, one dataset with over 455 million records is linked to Russia. Another, with over 60 million records, is connected to Telegram, a popular messaging app.
“The inclusion of both old and recent infostealer logs – often with tokens, cookies, and metadata – makes this data particularly dangerous for organizations lacking multi-factor authentication or credential hygiene practices,”
the team said.
No, Facebook, Google, and Apple passwords weren’t leaked. Or were they?
With a dataset containing 16 billion passwords, that’s equivalent to two leaked accounts for every person on the planet.
We don’t know how many duplicate records there are, as the leak comes from multiple datasets. However, some reporting by other media outlets can be quite misleading. Some claim that Facebook, Google, and Apple credentials were leaked. While we can’t completely dismiss such claims, we feel this is somewhat inaccurate.
“There was no centralized data breach at any of these companies,” Diachenko said when I asked him to clarify whether any of the datasets came from Facebook, Google, or Apple.
However, that doesn’t mean that none of the logins were breached and leaked to the dark web.
“Credentials we’ve seen in infostealer logs contained login URLs to Apple, Facebook, and Google login pages,” Diachenko said.
So, as mentioned above, this means that the leaked information opens the doors to pretty much any online service imaginable.
As per popular request, we are sharing a few screenshots as proof that such datasets exist. Below, you can see that they include URLs to Facebook, Google, GitHub, Zoom, Twitch, and other login pages.
16 billion passwords exposed: how to protect yourself
Huge datasets of passwords spill onto the dark web all the time, highlighting the need to change them regularly. This also demonstrates just how weak our passwords still are.
Last year, someone leaked the largest password compilation ever, with nearly ten billion unique passwords published online. Such leaks pose severe threats to people who are prone to reusing passwords.
- Even if you think you are immune to this or other leaks, go and reset your passwords just in case.
- Select strong, unique passwords that are not reused across multiple platforms.
- Enable multi-factor authentication (MFA) wherever possible.
- Closely monitor your accounts.
- Contact customer support in case of any suspicious activity.
For more daily updates, please visit our News Section.