Cybersecurity experts have discovered what may be the largest data breach in history, involving more than 16 billion compromised usernames and passwords.
According to a recent Cybernews report, the leaked credentials were harvested by cybercriminals using various types of infostealing malware. The stolen data appears to come from a wide range of sources, including social media accounts, corporate systems, VPNs, developer platforms, and more.
Researchers say they uncovered 30 different exposed datasets, each containing millions—even billions—of records. These included accounts linked to major services like Google, Apple, Facebook, GitHub, and Telegram. Notably, the report emphasizes that all but one of these datasets had not been previously disclosed. The only exception was a dataset flagged earlier by Jeremiah Fowler, which held over 184 million passwords.
“This isn’t just another leak—it’s a roadmap for large-scale cyberattacks,” warned researchers. “With more than 16 billion credentials now accessible, cybercriminals have an enormous opportunity for identity theft, phishing attacks, and unauthorized account access. What’s particularly troubling is that much of this data is recent and organized, making it highly actionable.”
Though the datasets were temporarily exposed via unsecured Elasticsearch databases and open cloud storage systems, that short window was enough for researchers to identify and analyze them. However, the origin or owner of the data remains unknown.
What Do the Leaked Datasets Contain?
The publication explains that the leaked information primarily includes details collected by malware, credential stuffing attacks, and previously repackaged leaks. While there is some data overlap, the sheer volume makes it difficult to determine the exact number of affected individuals.
The format of most entries was consistent, listing a URL followed by a username and password—an exact signature of how info-stealing malware collects and transmits stolen data to cybercriminals.
Beyond just login credentials, the datasets also contained sensitive metadata such as authentication tokens, browser cookies, and other digital identifiers. These pose a serious threat to users and businesses, particularly those not using multi-factor authentication (MFA). Alarmingly, some folders were simply labeled “logins” or “credentials,” underscoring the ease with which malicious actors could exploit them.
These massive leaks are frequently used in phishing scams, ransomware attacks, business email compromise (BEC), and large-scale account takeovers. Experts urge immediate caution and stress the importance of strong cybersecurity measures in the wake of this breach.