A massive cybersecurity breach has revealed over 16 billion login credentials, marking what experts are calling the most extensive credential leak ever recorded. These records include usernames, passwords, access tokens, session cookies, and other sensitive metadata.
The Scope of the Leak
Between January and June 2025, researchers at Cybernews discovered 30 separate datasets containing tens of millions to more than 3.5 billion records each. While one of these sets, with 4.5 billion records, had surfaced earlier, the remaining 29 datasets are being exposed for the first time.
The credentials were stolen using infostealer malware. These malicious programs exploited unsecured storage systems, such as Amazon-style object repositories and Elasticsearch servers, to siphon off data.
Who Was Affected?
Credentials from many major platforms have been compromised, including:
- Apple (Apple ID)
- Google (Gmail)
- GitHub
- Telegram
- VPN providers
- Government services
- Developer tools and portals
The datasets include:
- Around 3.5 billion records linked to Portuguese users
- Approximately 445 million credentials from Russian users
- Nearly 60 million Telegram logins
Why This Breach Is Especially Alarming
This leak isn’t just a dump of reused or outdated passwords—it’s a cache of fresh, well-structured, and highly exploitable data. It contains valid session tokens and cookies, making it especially dangerous for real-time attacks. Threat actors can easily launch:
- Credential stuffing attacks across multiple platforms
- Tailored phishing campaigns based on real user data
- Unauthorized access to crypto wallets and exchanges tied to compromised emails
How to Protect Yourself
Cybersecurity experts strongly recommend the following steps:
- Change your passwords immediately, especially on any accounts that use the same credentials.
- Enable strong two-factor authentication (2FA), ideally using an authenticator app or a hardware key instead of SMS.
- Use a password manager to create and store unique, complex passwords for every account.
- Consider adopting passkeys or other phishing-resistant authentication methods.
- Regularly monitor your financial, email, and cryptocurrency accounts for suspicious activity.
This incident is a stark reminder: passwords alone can no longer protect your online identity. Whether you’re accessing Gmail, banking apps, or crypto platforms, it’s time to upgrade your security practices with strong, unique credentials and multi-factor authentication.
