According to Forbes, cybersecurity researchers confirmed the largest password leak in history. 16 billion login credentials from Apple, Facebook, Google, and virtually every major platform you can think of. That’s not a typo. It is sixteen billion.
This isn’t recycled data from old breaches. According to Cybernews researchers who discovered this massive leak, almost all of these datasets are fresh, newly discovered credentials that represent “ground zero for phishing attacks and account takeover”.
Think about that for a second, that your employees’ passwords might be sitting in a criminal’s database right now, and they don’t even know it.
The breach consists of 30 datasets, some containing up to 3.5 billion records each. The total haul is over 16 billion compromised credentials, most of which have never been seen in previous leaks.
But who are the culprits? Likely a combination of multiple infostealer malware campaigns, running quietly across consumer and corporate devices, siphoning data into these “supermassive” breach dumps.
Most credentials are organized in URL > login > password format. That means attackers don’t just have the passwords but they know exactly where to use them.
We’re not talking about a hypothetical here. This leak is already circulating, quietly arming hackers, fraudsters, and state-backed actors alike.
The average data breach now costs companies $4.88 million, and that number’s climbing to over $5.3 million by the end of 2025. Credential-based attacks like the ones this leak enables cost even more. Companies dealing with credential stuffing attacks face an average of $4 million in losses annually, with each attack targeting over 1,000 user accounts.
Here’s how this 16-billion credential nightmare unfolded, and why it should change how you think about password security:
According to the research, these credentials didn’t come from one massive breach. Instead, they’re the result of infostealer malware campaigns that have been quietly harvesting data since early 2024. These sneaky programs slip onto employee devices through phishing emails, compromised websites, or even that “free” software someone downloaded from a sketchy site.
Once installed, infostealers grab everything, such as browser-saved passwords, autofill data, session cookies, and cryptocurrency wallet information. The scary part is that most employees have no idea they’re infected.
Vilius Petkauskas from Cybernews, who led the investigation, found 30 separate datasets containing anywhere from tens of millions to over 3.5 billion records each. The credentials are neatly organized that is ready for cybercriminals to use in automated attacks against your systems.
If you think this is just a consumer problem, think again. The leaked data includes access to “virtually any online service imaginable, ranging from Apple, Facebook, and Google to GitHub, Telegram, and various government services”. Your corporate email, cloud services, and development platforms—they’re all at target.
It doesn’t matter how much you’ve spent on email gateways or endpoint protection. If your employees are reusing a Gmail password on GitHub and that Gmail login is in this breach, you’re already compromised.
Here’s what could be happening right now:
“This is not just a leak, but it’s a blueprint for mass exploitation,” Cybernews researchers warned. And they’re right. Without action, these passwords will be used to bypass MFA with session hijacking, plant backdoors in critical cloud environments, and launch phishing campaigns from legitimate internal email addresses.
You can’t prevent your employees’ accounts from getting compromised, but you can stop those breaches from becoming your problem. Follow these:
Your employees’ passwords are probably already out there. According to the research, this 16-billion credential leak is “fresh, weaponizable intelligence at scale.” The organizations that survive and thrive are the ones that assume compromise and build their defenses accordingly.
Don’t just secure systems. Secure behaviors as well. Act now.
Imagine someone quietly taking control of your company’s systems, watching everything, stealing data, and traversing your network with no...
Phishing remains a principal source of worry that organizations are forced to address nowadays. Despite the webs of security...
Is your antivirus capable of protecting your system? Think again. In March 2025, an extensive cyber-espionage operation referred to...