Cybersecurity researchers have uncovered leaked databases containing 16 billion unique login credentials of Apple, Discord, Facebook, Google, Instagram, Microsoft, Roblox, Snapchat, Spotify, WordPress, Yahoo, and various other online services and email providers, making it one of the largest compilations of stolen personal data ever recorded.
According to a report by Cybernews, this trove of data also includes access to corporate, developer, and government websites and VPN platforms. Researchers claimed that this information is likely from a mix of infostealer malware logs, credential stuffing databases, and previously repackaged leaks. However, there is no way to effectively compare the data between the datasets, which means it is impossible to tell how many people or accounts were affected.
Cybersecurity Researchers Discover 16 Billion Records of Social Media and Cloud Service Users
Since January 2025, Cybernews has uncovered 30 exposed datasets containing up to 3.5 billion sensitive information each, an average of 550 million per dataset, bringing the total to 16 billion records. None of these exposed datasets were previously publicized, except for one from May, when cybersecurity expert Jeremiah Fowler discovered a database containing 184 million login credentials.
However, the more worrying aspect of this discovery is that it barely scratches the surface, as researchers claim that new massive datasets are emerging every few weeks, signalling the danger of info-stealer malware.
Info-stealers are malicious software that cybercriminals use to secretly collect sensitive data such as passwords, financial information, and the browser activity of their targets. Unlike keyloggers, which record keystrokes, this malware not only captures what the victim types but also scans the compromised system for stored passwords, cookies, autofill data, and other exploitable information.
They said this was “not just a leak” but a “blueprint for mass exploitation” that would allow cybercriminals to have “unprecedented” access to 16 billion personal credentials that can be used for various illicit purposes, such as account takeover, identity theft, and highly targeted phishing attacks. Another concerning aspect of the breach is the structure and recency of these databases, as they aren’t just old ones being recycled but “fresh, weaponizable intelligence at scale”.
Pattern of Leaked Datasets Points Fingers at Rampant Use of Info-Stealer Malware
Cybernews reports that the datasets were only briefly exposed through unsecured cloud storage, long enough for the researchers to uncover them, but not long enough to figure out who was controlling these vast amounts of data. While they were quickly taken down, there was ample time for the datasets to be collected and analyzed. Most of them were temporarily accessible through Elasticsearch.
Despite the lack of information on how many accounts may have been affected, the researchers found that most of the datasets follow a clear structure: a URL, followed by login details, and a password. Concurrently, most modern info-stealers collect data in the same order.
The leaked information opened the doors to pretty much every online service in existence, from cloud and social media platforms to corporate emails and various government services. Researchers claimed that credential leaks at this scale are fuel for phishing campaigns, account takeovers, ransomware intrusions, and business email compromise (BEC) attacks.
The team noted that the inclusion of both old and new info-stealer logs, which often include tokens, cookies, and metadata, makes this data “particularly dangerous” for organizations lacking multi-factor authentication or credential hygiene practices.
The smallest dataset discovered by researchers had over 16 million records, while the largest one in existence had 3.5 billion records. On average, a single dataset contained 550 million exposed online credentials. Some were generally named, such as “logins”, or “credentials”, others hinted at the services they are related to, like Telegram (60 million), or their country of origin, like the Russian Federation (455 million), and some were named after the form of malware that was used to collect the data.
Breached Data Could be Owned by Security Researchers or Cybercriminals
While it is unclear who owns the leaked data, there is speculation that it could be security researchers who compile data to check and monitor potential leaks. Nonetheless, some of the datasets were owned by cybercriminals, who could use them to execute various types of attacks, such as identity theft, phishing schemes, and unauthorized access.
Hackers only need a success rate of less than a percent to get access to sensitive details of millions of internet users. Researchers also warned that there is not much users can do to protect themselves in light of this situation.
Major data breaches exposing billions of records are becoming increasingly regular occurrences. Just last week, China suffered its biggest data leak that saw billions of financial data documents, WeChat and Alipay details, and other sensitive personal information of Chinese citizens and residents exposed online.
Recently, US-based crypto exchange Coinbase disclosed that a breach from December 2024 affected more than 69,000 of its customers. In May, the company was targeted by cybercriminals, who demanded a ransom of $20 million in Bitcoin (BTC) for stolen customer data. Instead of complying with the demands, Coinbase announced a $20 million bounty program to track down the hackers.
Last year, researchers discovered the Mother of All Breaches (MOAB), with a mind-boggling 26 billion records. 2024 also saw the largest password compilation, with nearly ten billion unique passwords, called RockYou2024, which was published on a popular hacking forum.
How Can Internet Users Protect Their Data?
While the sheer scale of the latest breach is alarming, its impact could have been drastically reduced by implementing two-factor authentication (2FA), password managers, and passkeys. The researchers noted that normal internet users are more likely to be impacted by the data leak, while users with 2FA are safe.
Multi-factor authentication applications, such as the Google Authenticator and Microsoft Authenticator, add a critical security layer by requiring users to identify themselves through additional methods like a text message code, password, fingerprint, or face ID.
Passkeys are an alternative to traditional passwords, eliminating the need for login credentials and replacing them with cryptographic keys that are stored locally on a user’s device. They are also “origin-bound”, meaning they only work with the specific service for which they were created. Passkeys are considered more secure and less vulnerable to phishing attacks and are being adopted by industry giants such as Google, Apple, Microsoft, and Amazon.
