16 Billion Login Credentials Leaked in Unprecedented Cybersecurity Breach
Security researchers confirm freshly stolen passwords from dozens of platforms now circulating online
Security researchers have identified an unprecedented leak encompassing approximately 16 billion user credentials, marking the largest such exposure on record.
The newly discovered databases comprise some 30 distinct datasets, each containing tens of millions to several billion records.
The information is believed to be obtained via infostealer malware campaigns targeting browser-saved credentials, session data, and cookies in real time.
This collection includes login details from major tech platforms—among them Apple, Google, Facebook, GitHub, and Telegram—as well as from VPN services, developer portals, online marketplaces, and government systems.
Each record reportedly combines URL, username or email, and password, enabling direct reuse for phishing or credential-stuffing attacks.
Cybercrime analysts describe the dataset as largely new, rather than recycled from earlier breaches.
The presence of intact login sequences and freshly stolen session tokens is cited as evidence of active malware operations in 2025.
The leak is said to have surfaced across underground forums and marketplaces in plain-text form, elevating its potential for automated exploitation.
Additionally, broader industry analysis during 2024–25 has catalogued over 19 billion leaked passwords across more than 200 breaches, with only around 6 percent being unique.
A staggering 94 percent of the datasets comprised reused or common credentials, with examples such as “123456,” “password,” and “admin” appearing hundreds of millions of times.
The reuse of credentials across accounts enables high-volume automated attacks, commonly referred to as credential stuffing, which carry success rates of up to 2 percent per million attempted logins.
Weak passwords remain prevalent: around 42 percent of entries are only 8–10 characters long, and roughly 27 percent use solely lowercase letters and digits.
The root cause of the leak is ascribed to infostealer malware.
These tools infiltrate endpoints and harvest sensitive credentials before packaging them into standardized databases for distribution in criminal marketplaces.
Analysts warn that the scale and freshness of this leak create a “blueprint for mass exploitation,” with direct applicability to phishing, account takeover, identity theft, and enterprise intrusion campaigns.
Platforms across sectors—financial services, healthcare, social media, government—face heightened risk as attackers deploy automated login attempts using the leaked credentials.
In prior incidents, such as between April 2024 and April 2025, over 3 terabytes of raw leaked data were analysed, revealing the systemic vulnerability posed by credential reuse worldwide.
Research emphasises that even simple dictionary-style passwords enable rapid account breaches when combined with attacker-owned automation systems.
The leak also echoes earlier megabreaches, such as the “RockYou2024” archive containing nearly 10 billion passwords compiled from two decades of incident data.
However, the current 16 billion-credential exposure is distinguished by its proximity in time and volume of nascent threat intelligence.
This situation illustrates the expanding role of malware-based exfiltration in complementing traditional data breach strategies, and paints a picture of rapidly circulating credential data re-entering the attacker economy almost in real time.
The newly discovered databases comprise some 30 distinct datasets, each containing tens of millions to several billion records.
The information is believed to be obtained via infostealer malware campaigns targeting browser-saved credentials, session data, and cookies in real time.
This collection includes login details from major tech platforms—among them Apple, Google, Facebook, GitHub, and Telegram—as well as from VPN services, developer portals, online marketplaces, and government systems.
Each record reportedly combines URL, username or email, and password, enabling direct reuse for phishing or credential-stuffing attacks.
Cybercrime analysts describe the dataset as largely new, rather than recycled from earlier breaches.
The presence of intact login sequences and freshly stolen session tokens is cited as evidence of active malware operations in 2025.
The leak is said to have surfaced across underground forums and marketplaces in plain-text form, elevating its potential for automated exploitation.
Additionally, broader industry analysis during 2024–25 has catalogued over 19 billion leaked passwords across more than 200 breaches, with only around 6 percent being unique.
A staggering 94 percent of the datasets comprised reused or common credentials, with examples such as “123456,” “password,” and “admin” appearing hundreds of millions of times.
The reuse of credentials across accounts enables high-volume automated attacks, commonly referred to as credential stuffing, which carry success rates of up to 2 percent per million attempted logins.
Weak passwords remain prevalent: around 42 percent of entries are only 8–10 characters long, and roughly 27 percent use solely lowercase letters and digits.
The root cause of the leak is ascribed to infostealer malware.
These tools infiltrate endpoints and harvest sensitive credentials before packaging them into standardized databases for distribution in criminal marketplaces.
Analysts warn that the scale and freshness of this leak create a “blueprint for mass exploitation,” with direct applicability to phishing, account takeover, identity theft, and enterprise intrusion campaigns.
Platforms across sectors—financial services, healthcare, social media, government—face heightened risk as attackers deploy automated login attempts using the leaked credentials.
In prior incidents, such as between April 2024 and April 2025, over 3 terabytes of raw leaked data were analysed, revealing the systemic vulnerability posed by credential reuse worldwide.
Research emphasises that even simple dictionary-style passwords enable rapid account breaches when combined with attacker-owned automation systems.
The leak also echoes earlier megabreaches, such as the “RockYou2024” archive containing nearly 10 billion passwords compiled from two decades of incident data.
However, the current 16 billion-credential exposure is distinguished by its proximity in time and volume of nascent threat intelligence.
This situation illustrates the expanding role of malware-based exfiltration in complementing traditional data breach strategies, and paints a picture of rapidly circulating credential data re-entering the attacker economy almost in real time.
Translation:
Translated by AI
