Cybersecurity researchers have discovered what they describe as one of the biggest data breaches ever, exposing billions of login credentials tied to major online platforms.
Cybernews, a cybersecurity media outlet and research organisation, has uncovered a massive leak containing close to 1,600 crore usernames and passwords, potentially allowing cybercriminals to access a wide range of popular platforms.
As part of an investigation that began earlier this year, researchers described the breach as highly alarming, warning that the compromised data “opens the doors to pretty much any online service imaginable, from Apple, Facebook, and Google, to GitHub, Telegram, and various government services.”
“This is not just a leak—it’s a blueprint for mass exploitation,” researchers said. “With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing.”
The scale and structure of the breach are deeply concerning, especially as recent reports highlight how weak and reused passwords continue to be a major security flaw.
Who is affected by the leak?
The number of exposed people or accounts is unknown. The researchers discovered 30 datasets containing an unknown number of overlapping records, making it challenging to determine the exact number of affected accounts or individuals. The information seen in the datasets followed a “clear structure: URL, followed by login details and a password”.
The researchers said the data likely comes from malicious software known as infostealers.
Infostealers are a type of malware designed to secretly collect sensitive information from a victim’s device, such as login credentials, credit card details, and browser data. They usually spread through phishing emails, malicious downloads, or cracked software and send the stolen data back to cybercriminals, often ending up for sale on underground forums.
Bob Diachenko, the Ukrainian cybersecurity specialist behind the research, said the data appeared to be “85% infostealers” and about 15% from historical data breaches such as a leak suffered by LinkedIn.
"What's especially concerning is the structure and recency of these datasets—these aren't just old breaches being recycled. This is fresh, weaponizable intelligence at scale," the researchers said.
They uncovered the leak when the datasets were exposed for a short period of time after being poorly stored on remote servers. “The only silver lining here is that all of the datasets were exposed only briefly: long enough for researchers to uncover them, but not long enough to find who was controlling vast amounts of data,” they noted.
What you can do to stay safe
Cybernews has urged internet users to update their passwords as a precaution and consider doing so regularly to stay protected against future leaks. But the question of how often to change passwords remains contested in the cybersecurity world. While some experts advocate rotating passwords every few months, others caution that frequent changes can lead to weaker, more predictable choices unless there's evidence of a breach.
Amid growing concerns over massive leaks cybersecurity experts advise using unique passwords with a password manager, enabling two-factor authentication, and adding other forms of security like passkeys and security keys that can replace passwords altogether.
Passkeys use public-key cryptography and are typically unlocked using a device’s biometrics (like fingerprints or facial recognition) or a PIN. They are resistant to phishing and credential stuffing attacks, and unlike passwords, they are not stored on a server.
However, passkeys are not without criticism. Privacy advocates have raised concerns about their reliance on biometric data, especially in scenarios involving shared devices or where users might be coerced into unlocking their accounts. Others point to a lack of standardisation across platforms, which can make adoption confusing for average users.
Meanwhile, password habits continue to lag behind security best practices. A recent NordPass report revealed that the most common passwords are still painfully weak—topping the list are "123456," "password," and "qwerty". Another analysis in May found that 94% of leaked passwords were reused across multiple accounts, with only 6% being unique.