What began as a shocking report of 184 million leaked credentials has now escalated into what researchers are calling the biggest password leak in history — an unprecedented 16 billion compromised records. These include login credentials from major platforms such as Apple, Facebook, and Google, alongside a wide range of other services, from VPNs to government portals.
A Breach Like No Other
According to cybersecurity researchers at Cybernews, who have been investigating the matter since early 2024, the data spans 30 separate exposed datasets — each containing tens of millions to billions of records. While some professionals initially suspected the leak might be a repackaged compilation of past breaches, the research team insists this is largely new, previously unreported data. Only one known exception — the 184 million-password database revealed in May — overlaps with previous leaks.
“This isn’t just a leak,” the researchers stated. “It’s a blueprint for mass exploitation.”
Not a Hack — But Still a Disaster
Importantly, this is not the result of a centralized breach of tech giants like Apple or Google. Instead, these credentials were gathered via “infostealers” — malicious software that collects login data from infected devices.
Cybersecurity expert Bob Diachenko, who reviewed the findings, confirmed that the leaks originated from such malware and not from direct corporate security failures. Nonetheless, the implications are enormous. These stolen credentials are now widely available on the dark web, where they can be used for phishing, account takeovers, and more.
Why It Matters
“This is fresh, weaponizable intelligence at scale,” said Cybernews researcher Aras Nazarovas. Unlike previous leaks, which sometimes recycled old data, the current trove includes login URLs and passwords for some of the most widely used services in the world. Many of these credentials appear to have never been disclosed before.
Experts warn that even the strongest password offers no protection if it’s sitting in an exposed database. Worse still, if users have reused those credentials across multiple accounts — which remains alarmingly common — the risk multiplies quickly.
A Wake-Up Call for Password Hygiene
“Even a complex password can’t save you if the database it’s stored in is breached,” said Evan Dornbush, CEO of Desired Effect and former NSA cybersecurity expert. “That’s why password hygiene is critical — and why reusing passwords is one of the riskiest behaviors online.” George McGregor, VP at Approov, likened the leak to a domino effect: “This could spark a cascade of cyberattacks and widespread harm.”
Organizations aren’t exempt from blame either. Experts like Darren Guccione, CEO of Keeper Security, emphasized the importance of proactive measures like zero-trust models and privileged access controls. “Wherever the data resides, access should always be authenticated, authorized, and logged,” Guccione said.
A Broken System
Opinions are divided on where responsibility lies. Javvad Malik, lead security awareness advocate at KnowBe4, believes cybersecurity is a shared responsibility between organizations and individuals. Others, like MetaCert CEO Paul Walsh, strongly disagree, arguing that users shouldn’t be blamed for not spotting threats their security providers miss.
“User education alone hasn’t worked for over a decade,” Walsh said. “Security vendors need to deliver solutions that protect users without requiring them to become cybersecurity experts.”
The Rise of Passkeys
In light of this historic leak, experts are urging consumers and companies alike to embrace passkeys — a new, more secure authentication method designed to replace traditional passwords. Unlike passwords, passkeys rely on biometrics or physical devices, making them far harder to steal or misuse.
“Passkeys aren’t a nice-to-have — they’re essential,” said Rew Islam, security expert at Dashlane and co-chair of the FIDO Alliance. Facebook, Google, and Apple have already begun rolling out passkey support, and adoption is expected to grow rapidly in the next few years.
“If you’ve reused any of your passwords across accounts, now is the time to act,” Islam added. “Switch to a password manager. Enable multi-factor authentication. And wherever possible, move to passkeys.”
Conclusion
With 16 billion credentials now floating around the web, cybersecurity is no longer optional — it’s urgent. Whether you’re an individual managing a few social media accounts or a company with thousands of users, the takeaway is clear: protect your logins, or risk losing everything.
Prepared by Navruzakhon Burieva
