Researchers have just confirmed what could be the largest data breach ever, with 16 billion logins up for grabs by the work of multiple infostealers. The confirmation comes as part of an ongoing investigation that started at the beginning of the year.
In late May, Wired magazine reported that a security researcher had discovered a “mysterious database” with 184 million records, but that discovery was only the tip of the iceberg.
The Cybernews research team has just exposed a new gravity in the world of infostealing. Currently, 16 billion login credentials are exposed, and cybercriminals have unprecedented access to personal records and accounts that can be taken over, which leads to identity theft, blackmail, and loss of privacy.
This is why Google is telling billions of users to replace their passwords, and the FBI is warning people not to click on links in SMS messages.
Discovery of the breach at <em>CyberNews</em>
The research team at Cybernews uncovered 30 separate datasets, each containing between tens of millions and 3.5 billion records. According to Vilius Petkauskas, deputy editor at Cybernews, the total number of compromised records has now reached 16 billion. “This is not just a leak — it’s a blueprint for mass exploitation.”
The Cybernews research team reported that most of the data leaked is in mixed data sets from stealer malware, and that overlapping records were present. Structure-wise, researchers were able to identify a clear structure in the stolen data: a URL, followed by login details and a password. Information in these leaked data sets can open doors to any online service imaginable – Apple, Facebook, Google, GitHub, Telegram, and even various government services are all on the table.
On the dark web, stolen passwords are up for sale; anyone with just a bit of cash can purchase them.
The data sets were often named generically, such as “logins,” or hinted at as to what services they were related to. For example, one large data set with over 455 million records was named to indicate its origins in the Russian Federation.
It is unclear who owns the leaked data; however, cybersecurity researchers are certain that cybercriminals own the data, since these groups typically favor massive datasets aggregated as collections. It is concerning that we do not have certainty of who exactly is running these breaches, meaning that there is little we can do to protect ourselves besides incorporating digital hygiene and safe browsing practices.
What security experts are saying
Strong password management is essential, especially in times of mega-leakage. Former NSA cybersecurity expert Evan Dornbush told Forbes that, “It doesn’t matter how long or complex your password is. When an attacker compromises the database that stores it, they have it.” He added that, “This is also why it's so critical not to use the same password at multiple sites. If an attacker steals a password from one database and the individual has reused it elsewhere, then the attacker can gain access to those accounts as well.”
According to Approv vice president George McGregor, this type of leak can quickly spiral, “leading to a cascade of potential cyberattacks and significant harm to individuals and organizations.” The research confirming the recent mass leakage, “simply highlights what we already know, that user identities are already widely available to hackers,” he told Forbes.
How can we protect ourselves?
One thing we can do is switch our passwords to passkeys – now, and before it's too late. Passkeys allow us to log in to platforms without typing a password, and instead, authentication is done via face or touch ID, a device pin, or a fingerprint scanner. While this shocking breakthrough may make you want to change all your passwords, the most efficient thing to do is to start using a password manager and switch to passkeys wherever possible.
This leak is an alarming wake-up call – not just to change our passwords, but to change how we think about cybersecurity. As cyberattacks are becoming more sophisticated, and billions of identities are now exposed, tools like passkeys and password managers are necessary steps to stay ahead of the next inevitable breach.