Cybersecurity researchers uncover largest credential collection in history, affecting users of Apple, Google, Facebook and government services worldwide. Around 16 billion passwords leaked in this largest ever breach.

Cybersecurity researchers have discovered what they’re calling the largest compilation of stolen login credentials in history, with a staggering 16 billion usernames and passwords exposed across 30 separate databases.

The massive collection, uncovered by cybersecurity firm Cybernews during an ongoing investigation that began earlier this year, contains credentials for virtually every major online service including Apple, Google, Facebook, GitHub, Telegram, and various government platforms. This is similar to Turkish Citizenship data breach but the difference is that it doesn’t have more personal details like Date of Birth etc.

Not a Single Breach, But Years of Criminal Activity

Contrary to initial reports suggesting a single massive hack, cybersecurity experts have clarified that this represents a compilation of stolen data gathered over years through various criminal methods.

“This is not just a leak – it’s a blueprint for mass exploitation,” said researchers from Cybernews, who discovered the exposed databases. “These aren’t just old breaches being recycled. This is fresh, weaponisable intelligence at scale.”

The data primarily originates from:

• Infostealer malware that harvests credentials from infected computers
• Previous data breaches repackaged and aggregated
• Credential stuffing operations where criminals test stolen passwords across multiple sites

Lawrence Abrams, a cybersecurity expert from BleepingComputer, emphasised that “this is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials.”

Scope and Scale of the Discovery

The 30 databases range dramatically in size, from 16 million records in the smallest collection to over 3.5 billion in the largest. On average, each database contained approximately 550 million credentials.

The credentials follow a standard format used by infostealer malware: URL:username:password

Some notable patterns emerged:

• The largest dataset (3.5 billion records) appears to target Portuguese-speaking users
• One collection with 455 million records shows Russian Federation origins
• A 60-million record database specifically contains Telegram user credentials
• Multiple datasets were generically named “logins” or “credentials”

Brief Exposure Window

The databases were only accessible for a short period through unsecured Elasticsearch instances and misconfigured cloud storage systems. Researchers discovered them before they could determine who controlled the vast collections.

“The only silver lining here is that all of the datasets were exposed only briefly: long enough for researchers to uncover them, but not long enough to find who was controlling vast amounts of data,” the Cybernews team reported.

However, the brief exposure doesn’t diminish the threat. Cybercriminals have been circulating similar credential collections on platforms like Telegram and Discord for years, often sharing massive archives for free to build reputation in criminal communities.

Growing Threat from Infostealer Malware

The discovery highlights the escalating threat from infostealer malware – malicious software that steals saved passwords, cryptocurrency wallets, and other sensitive data from infected devices.

These programs have become so prevalent that law enforcement agencies worldwide have launched coordinated efforts to combat them, including “Operation Secure” and recent actions against the LummaStealer malware family.

When executed on a victim’s computer, infostealers create “logs” containing all stored credentials from browsers and applications. A single infected device with thousands of saved passwords can yield massive amounts of data for criminals.

Historical Context

This compilation of 16 billion leaked passwords surpasses previous major credential exposures:

• RockYou2024: Nearly 10 billion unique passwords leaked in 2024
• Collection #1: Over 22 million unique passwords from 2019
• Mother of All Breaches: 26 billion records discovered in 2024 (though including various data types)

The current discovery represents the largest pure credential compilation documented to date.

What Users Should Do Now

Cybersecurity experts recommend immediate action:

Immediate Steps:

1. Scan for malware before changing passwords to ensure new credentials won’t be stolen
2. Change passwords to unique, strong combinations for every account
3. Enable two-factor authentication using apps like Google Authenticator or Microsoft Authenticator
4. Use a password manager to generate and store unique passwords

Ongoing Protection:

• Avoid SMS-based two-factor authentication due to SIM-swapping risks
• Never reuse passwords across multiple sites
• Regular security check-ups using services like Have I Been Pwned
• Keep devices updated with reputable antivirus software

Industry Response

Major technology companies have renewed calls for users to adopt stronger security practices. Google has been urging users to replace passwords with more secure passkey technology, while security firms emphasise the importance of multi-factor authentication.

“The fact that the credentials in question are of high value for widely used services carries with it far-reaching implications,” said Darren Guccione, CEO of Keeper Security. “It is more important than ever for consumers to invest in password management solutions and dark web monitoring tools.”

The Bigger Picture

The discovery underscores a troubling trend in cybercrime: the commoditisation of stolen credentials. As infostealers become more sophisticated and widely available, massive credential compilations are becoming increasingly common.

Cyber security researchers noted that new large datasets emerge every few weeks, suggesting the problem is accelerating rather than diminishing.

For organisations, the incident highlights the critical importance of implementing zero-trust security models, privileged access controls, and comprehensive employee training on credential hygiene.

Looking Forward

As the investigation continues, cybersecurity researchers warn that this compilation likely represents just a fraction of stolen credentials circulating in criminal networks. The structured nature and recent timestamps on much of the data make it particularly dangerous for both individuals and organisations lacking robust security measures.

The incident serves as a stark reminder that in today’s digital landscape, credential compromise is not a matter of if, but when. The most effective defence lies in assuming credentials may already be compromised and implementing security measures that remain effective even under such circumstances.

Sources:

• Cybernews Research Team Original Investigation
• BleepingComputer Cybersecurity Analysis
• Forbes Security Coverage

For the latest cybersecurity updates and breach notifications, users are encouraged to monitor reputable security websites and enable breach notification services.