Cybersecurity nightmare: More than 16 billion passwords leaked in unprecedented data breach

The researchers claim that they came across 30 exposed datasets of various sizes, which contained anywhere between tens of millions to more than 3.5 billion records with accounts from Google, Apple, Facebook, GitHub, Telegram and more. The report also claims that “none of the exposed datasets were reported previously,” except for the one reported by Jeremiah Fowler, which contained more than 184 million passwords.

“This is not just a leak – it’s a blueprint for mass exploitation. With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing. What’s especially concerning is the structure and recency of these datasets – these aren’t just old breaches being recycled. This is fresh, weaponizable intelligence at scale”, added researchers.

And while these newly discovered datasets were only exposed online for a brief period of time using unsecured Elasticsearch and object storage instances, which was long enough for security researchers to uncover the dataset, but not learn who controlled them.

What information do these datasets contain?

The publication says that the majority of data leaked in the datasets contains “a mix of details from stealer malware, credential stuffing sets and repackaged leaks.” And while there is no way to compare these datasets, they likely contain at least some duplicated information. This makes it hard to determine how many people were affected by the data breach.

However, most of the data in these datasets followed a particular pattern, containing a URL followed by a username and a password. To those unaware, this is exactly how infostealing malware collects information and sends it to threat actors.

The researchers also found that these huge datasets containing usernames and passwords are often used for phishing campaigns, ransomware intrusions, business email compromise and account takeovers. These exposed datasets also included tokens, cookies and metadata, which makes them dangerous for companies and services that lack multi-factor authentication. Also, some of these were simply named “logins” and “credentials”.

In a statement, Telegram said that its “primary login method is a one-time password delivered by SMS”, the effect of the data breach is not as severe compared to other platforms where the password is always the same.

How to stay safe if your password is leaked?

If you think your system is infected by an infostealing malware, make sure to install a known antivirus and run a thorough security scan to remove it. Users can also make use of Google One’s “Dark Web Report” feature, which lets you check if your personal information has been leaked as part of a data breach or is available on the dark web. Also, make sure that you refrain from using common passwords like ‘12345678’ and ‘password’ and instead use a combination of numbers and letters to keep your account secure.

To give you a quick recap, datasets containing billions of passwords have previously found their way on the internet. Last year, researchers came across what they called the Mother of All Breaches, which contained more than 26 billion records.