Photo: GOCMEN / iStock / Getty Images
Around 16 billion passwords have been exposed in one of the largest data breaches ever, according to a report by Cybernews. The breach involves multiple datasets containing login credentials for platforms like Apple, Facebook, and Google. The data was reportedly collected from infostealer malware and credential stuffing sets, making it a significant threat for identity theft and fraud.
Cybernews researchers have been monitoring these datasets since early 2025, uncovering 30 different collections, each containing tens of millions to over 3.5 billion records. Despite the massive number of exposed credentials, the data did not originate from a centralized breach at any major tech company. Instead, the leak is a compilation of previously known breaches and new data collected by cybercriminals.
Cybernews researcher Aras Nazarovas explained that the structure and recency of the datasets make them particularly dangerous, as they include tokens, cookies, and metadata that can bypass two-factor authentication.
ZDNet reported that the leaked credentials are likely to be used in phishing campaigns, account takeovers, and ransomware attacks. While many of the records may be duplicates, the sheer volume of data poses a significant risk to online security.
Axios noted that Google has encouraged users to adopt more secure, passwordless authentication methods to protect their accounts.
To mitigate the risks, experts recommend using strong, unique passwords, enabling two-factor authentication, and monitoring accounts for suspicious activity. Users can also check if their information has been compromised by using services like 'Have I Been Pwned.'