The Largest Password Leak in History, 16 Billion Credentials Exposed

techstory.in ^ | June 19, 2025 | Anochie Esther

[ransomnote]

[H/T bitt]

In what experts are calling the largest data breach ever recorded, researchers have confirmed the exposure of a staggering 16 billion password leaks, affecting platforms including Apple, Facebook, Google, Telegram, GitHub, VPN services, and even government portals. This unprecedented breach is believed to be the result of multiple infostealer malware campaigns operating at a massive scale throughout 2025. 

If the recently reported 184 million credential leak was alarming, this latest development represents a full-scale cybersecurity disaster that demands immediate action.

What Happened? Understanding the 16 Billion Credential Leak

According to an ongoing investigation by cybersecurity researchers at Cybernews, led by analyst Vilius Petkauskas, the exposed data was discovered within 30 supermassive datasets, each containing anywhere from tens of millions to 3.5 billion individual records.

These aren’t recycled dumps from older breaches. Most of this information is newly compromised data, collected and consolidated into massive repositories that have now surfaced on cybercriminal forums and underground marketplaces. The datasets were structured in a way that included a URL, login, and password, making them easily weaponizable for account takeovers.

“This is not just a leak, it’s a blueprint for mass exploitation,” said the Cybernews team. “These aren’t just old breaches being recycled   this is fresh, weaponized intelligence at scale.”

---

TOPICS: Miscellaneous
KEYWORDS: hacking; internet; passwords; socialmedia

[ransomnote]

The article goes on to list suggested actions in useful detail. Here's a shorter version of the list with minor changes to wording:

1. Change your passwords and enable Multi-Factor Authentication (MFA)

2. Use a password manager to generate and store unique, complex passwords for each account.

3. If you use Passkeys, it's time to switch them.

4. Watch your accounts for suspicious activity. 

[Fido969]

Our life was fine before this computer stuff.

[Jonty30]

It sounds like a pre-text to force these things on the people.

[BipolarBob]

password123 is not strong enough password, believe you me.

[Mark]

I’m safe. My password is “I-am-Not-Mark”.

[E. Pluribus Unum]

Thank goodness for 2-factor authentication. All my financial accounts have it.

[PTBAA]

iglatinpe is simply too complex to be hacked.

[NoLibZone]

Big-knockers-69 with an exclamation at the end is impenetrable.

[FlingWingFlyer]

Exactly. Wouldn’t you just love to strangle those idiots who came up with the goofy “password” idea? Even Allen Ludden thought it was a joke being played on clowns with computers.

[dennisw]

I am thinking of doing all banking and financial transactions on an old laptop I that I will convert to Linux Mint. As it is I never use my phone for that. Only my home computer Windows 11.

[bitt]

p

[gundog]

Eliminate password123, and it’s only 9 billion breaches.

[EnderWiggin1970]

When are services going to learn not to store passwords in plain text? Or is that not how these passwords were obtained?

16 billion is 2 accounts compromised for every man, woman and child on the planet. This is getting insane.

[Myrddin]

When are services going to learn not to store passwords in plain text?

Plain text is easy, but even SHA256 hashes can be beaten using rainbow tables on large cloud servers. Old UNIX password files were easily taken apart with "crack". Browsers are not necessarily your friend. Those that store the account URL, username, password are ripe for harvesting.

[ransomnote]

I was thinking they set their nets and drive everyone into them by telling them they are compromised and must change them?

[Freedom_Is_Not_Free]

Crime has never been easier or more profitable.

Once upon a time, you had to be in close proximity. Now a hacker in Shanghai can rob you blind without ever leaving his home.

[citizen]

Yep, I spell it passw0rd to fool ‘em.

[Candor7]

Its simple really.

DO NOT LINK banking information with any social platform
like Facebook Pay.

Ever.

All banking should be by double authentication.Including Pay Pal.

Delete your credit card information from on line order sites like Amazon and eBay.

This is war level data collection.

[maddog55]

Most of my passwords are 16 characters. It takes me a week to log into the streaming “apps” a new TV using the remote since I don’t talk to me my smart TVs and won’t scan anything.

A password manager might be ok but then that’ll get hacked.

[4Liberty]

I’m no tech expert, but I sense the “2-factor authentication” fad using your unique phone number is just a handy way to help big tech to aggregate your data more easily. Just a thought.