Update, June 20, 2025: This story, originally published on June 18, has been updated to include details of how to switch from passwords to the much more secure passkey technology if you are an Apple, Facebook or Google user. There is now also additional input from cybersecurity professionals regarding the 16 billion credentials mega leak.
If you thought that my May 23 report, confirming the leak of login data totaling an astonishing 184 million compromised credentials, was frightening, I hope you are sitting down now. Researchers have just confirmed what is also certainly the largest data breach ever, with an almost incredulous 16 billion login credentials, including passwords, exposed. As part of an ongoing investigation that started at the beginning of the year, the researchers have postulated that the massive password leak is the work of multiple infostealers. Here’s what you need to know and do.
Is This The Biggest Yet When It Comes To Passwords Leaking?
Password compromise is no joke; it leads to account compromise and that leads to, well, the compromise of most everything you hold dear in this technological-centric world we live in. It’s why Google is telling billions of users to replace their passwords with much more secure passkeys. It’s why the FBI is warning people not to click on links in SMS messages. It’s why stolen passwords are up for sale, in their millions, on the dark web to anyone with the very little amount of cash required to purchase them. And it’s why this latest revelation is, frankly, so darn concerning for everyone.
According to Vilius Petkauskas at Cybernews, whose researchers have been investigating the leakage since the start of the year, “30 exposed datasets containing from tens of millions to over 3.5 billion records each,” have been discovered. In total, Petkauskas has confirmed, the number of compromised records has now hit 16 billion. Let that sink in for a bit. These collections of login credentials, these databases stuffed full of compromised passwords, comprise what is thought to be the largest such leak in history.
“Intelligence agencies and threat actors alike use these and accumulate these lists on the dark web,” Lawrence Pingree, a vice president at Dispersive, said, “sometimes repackaged several times, sometimes sold on an individual basis.” As Pingree told me, it’s hard to tell without examining the entire dataset, deduplicating the data, and comparing it to standalone breach datasets whether this is a repackaged leak or not. However, the Cybernews researchers are sure it is not. Whatever, as Pingree said, “16 billion records is a large number,” and such credentials data “can be misused and is misused – that’s what makes it valuable.”
The 16 billion strong leak, housed in a number of supermassive datasets, includes billions of login credentials from social media, VPNs, developer portals and user accounts for all the major vendors. Remarkably, I am told that none of these datasets have been reported as leaked previously, this is all new data. Well, almost none: the 184 million password database I mentioned at the start of the article is the only exception.
“This is not just a leak – it’s a blueprint for mass exploitation,” the researchers said. And they are right. These credentials are ground zero for phishing attacks and account takeover. “These aren’t just old breaches being recycled,” they warned, “this is fresh, weaponizable intelligence at scale.”
Most of that intelligence was structured in the format of a URL, followed by login details and a password. The information contained, the researchers stated, open the door to “pretty much any online service imaginable, from Apple, Facebook, and Google, to GitHub, Telegram, and various government services.”
Strong Password Management Is Essential In Light Of Mega-Leaks Such As This One
Not all password databases are the result of compromise and infostealer malware, such as is the case with the 16 billion megadump here. Darren Guccione, the CEO and co-founder of Keeper Security, a privileged access management platform, told me that this passwords leak was an apt reminder of “just how easy it is for sensitive data to be unintentionally exposed online.” And Guccione certainly isn’t wrong, far from it in fact. This could be just the tip of the biggest security iceberg waiting to crash into the online world. I mean, just imagine how many exposed credentials, including passwords, are sitting there in the cloud, or more to the point in misconfigured cloud environments, waiting for someone to find them. If we are lucky, that someone will be a security researcher who responsibly discloses the exposure to the owner or host; if not, then it will be a malicious actor. Who would you put your money on?
“The fact that the credentials in question are of high value for widely used services carries with it far-reaching implications,” Guccione said, which is why it is more important than ever for consumers to invest in password management solutions and dark web monitoring tools. The latter can help by alerting users when their passwords have been exposed online, hopefully enabling them to take direct action and update their account logins if the password has been reused across services.
Organizations, however, do not escape the necessity of investment either. They should be looking at adopting zero-trust security models that provide privileged access controls to “limit risk by ensuring access to sensitive systems is always authenticated, authorized and logged,” Guccione concluded, “regardless of where the data lives.”
Desired Effect CEO Evan Dornbush, a former NSA cybersecurity expert, said that “It doesn’t matter how long or complex your password is. When an attacker compromises the database that stores it, they have it.” Which is why password hygiene and management are so essential. “This is also why it’s so critical not to use the same password at multiple sites. If an attacker steals a password from one database and the individual has reused it elsewhere, then the attacker can gain access to those accounts as well.”
Approov vice president, George McGregor, described this kind of massive leak as being the first domino, “leading to a cascade of potential cyberattacks and significant harm to individuals and organizations.” The research, McGregor insisted, “simply highlights what we already know, that user identities are already widely available to hackers.”
Cybersecurity Is A Shared Responsibility – Don’t Share Your Passwords
Ultimately, this reinforces that cybersecurity is not just a technical challenge but a shared responsibility. “Organisations need to do their part in protecting users,” Javvad Malik, lead security awareness advocate at KnowBe4, said, “and people need to remain vigilant and mindful of any attempts to steal login credentials. Choose strong and unique passwords, and implement multi factor authentication wherever possible.”
Paul Walsh, CEO at MetaCert, disagrees with the concept of cybersecurity as a shared responsibility. “That’s pure BS from security vendors who still don’t know how to protect their customers from phishing attacks and then blame people for not becoming security pros,” Walsh said in a post on the X social media platform. How can users be expected to spot threats that their security providers cannot? That’s a pretty sensible question posed by Walsh, who remarked that user education isn’t working and hasn’t been effective in more than a decade. Walsh does, of course, have skin in this game, with Metacert pioneering a zero-trust URL authentication approach to the problem.
Switch Your Passwords To Passkeys Now — Don’t Wait Until It’s Too Late
While you might not want to change all your account passwords as a result of this latest leak revelation, I would certainly recommend it if you have ever reused any of those credentials across more than one service. I would also suggest that now is the time to start using a password manager and switch to passkeys wherever possible.
Rew Islam is a security expert at Dashlane as well as the co-chair of the FIDO Alliance. Dashlane was, Islam told me, “the first credential manager to launch passkey support,” and as such said, “it’s very exciting to see the tech industry following suit.” The latest to announce passkey adoption is Facebook, which is great timing in light of the Cybernews research. “For other companies and platforms with large social followings, the writing is on the wall,” Islam concluded, “passkeys aren’t a nice-to-have, they’re essential to protecting users.”
- You can find out how to switch from a password to a passkey if you are a Facebook user here.
- You can find out how to switch from a password to a passkey if you are an Apple user here.
- You can find out how to switch from a password to a passkey if you are a Google user here.
“While there could be some natural resistance to change,” Islam said, “the good news is that most users are ready to ditch passwords and rely on factors they already know and use, such as face or fingerprint recognition.”What it will take, of course, is more and more companies, from banks to social media and small businesses, to join the passkeys party. Through such adoption, confidence will build in even the most skeptical. “Over the next three years,” Islam concluded, “we expect passkeys to be used by the global majority of internet users.”
