BREAKING: 16 BILLION Passwords Leaked! Apple, Google, Facebook and More!

If you have Google, maybe start there and change your Google password, since a lot of people have numerous saved passwords to bank accounts, social media accounts, email, etc, all under Google.

Update, June 19, 2025: This story, originally published on June 18, has been updated with comments from the founders of Keeper Security regarding the 16 billion leaked passwords and other login credentials across the major tech vendor landscape.

If you thought that my May 23 report, confirming the leak of login data totaling an astonishing 184 million compromised credentials, was frightening, I hope you are sitting down now. Researchers have just confirmed what is also certainly the largest data breach ever, with an almost incredulous 16 billion login credentials, including passwords, exposed. As part of an ongoing investigation that started at the beginning of the year, the researchers have postulated that the massive password leak is the work of multiple infostealers. Here’s what you need to know and do.

Is This The GOAT When It Comes To Passwords Leaking? Password compromise is no joke; it leads to account compromise and that leads to, well, the compromise of most everything you hold dear in this technological-centric world we live in. It’s why Google is telling billions of users to replace their passwords with much secure passkeys. It’s why the FBI is warning people not to click on links in SMS messages. It’s why stolen passwords are up for sale, in their millions, on the dark web to anyone with the very little amount of cash required to purchase them. And it’s why this latest revelation is, frankly, so darn concerning for everyone.

According to Vilius Petkauskas at Cybernews, whose researchers have been investigating the leakage since the start of the year, “30 exposed datasets containing from tens of millions to over 3.5 billion records each,” have been discovered. In total, Petkauskas has confirmed, the number of compromised records has now hit 16 billion. Let that sink in for a bit. These collections of login credentials, these databases stuffed full of compromised passwords, comprise what is thought to be the largest such leak in history.

https://wltreport.com/2025/06/19/breaking-16-billion-passwords-leaked-apple-google-facebook/#utm_source=rss&utm_medium=rss&utm_campaign=breaking-16-billion-passwords-leaked-apple-google-facebook

Storing passwords in the clear would be a significant security risk, and companies adhere to industry standards to hash passwords, making it computationally infeasible to reverse them to plaintext. Apple, Facebook (Meta), and Google do not store passwords in the clear. They store passwords as hashes using secure cryptographic algorithms. Below is a summary of their practices:

Apple: Apple uses hashed passwords with techniques like salting and key stretching (e.g., PBKDF2) to enhance security. Passwords are not stored in plaintext, and Apple emphasizes encryption for user data, including credentials, both at rest and in transit.
Facebook (Meta): Meta employs password hashing with strong algorithms, such as bcrypt, which includes salting to protect against rainbow table attacks. They follow industry best practices to ensure passwords are not stored in the clear.
Google: Google uses robust hashing mechanisms, including bcrypt or similar algorithms, with salting and iteration counts to secure passwords. Google's security model emphasizes protecting user credentials through encryption and secure storage.

BUT, the 16 Billion Record Breach Still Matters Despite Hashed Passwords

The issue stems from how these credentials were stolen, bypassing server-side protections:

Plaintext Theft by Malware: Infostealer malware (e.g., RedLine, Raccoon) captures passwords on users’ devices before hashing, via keystrokes or browser data, rendering hashing irrelevant.
Fresh Data: Most records are recent, not old, meaning passwords are likely still valid and usable for account takeovers.
No Hash Cracking Needed: Stolen plaintext passwords can be used directly, especially without two-factor authentication (2FA).
Huge Scale: 30 datasets, up to 3.5 billion records each, cover platforms like Apple, Google, Meta, and more, increasing the chance your credentials are included.
Secondary Risks: Attackers can use stolen data for phishing, impersonation, or exploiting reused passwords across sites.

What to Do

Check exposure using Have I Been Pwned or Cybernews’ Leaked Credential Checker.
Change passwords for key accounts to strong, unique ones, avoiding reuse.
Enable 2FA on all supported accounts to block unauthorized access.
Use a password manager like LastPass or 1Password for secure password generation.
Secure devices with antivirus, updates, and caution against suspicious downloads.
Monitor accounts for unusual activity and enable login alerts.
Avoid phishing scams by ignoring unsolicited emails or messages asking for credentials.

Summary

The breach is a threat because malware stole plaintext credentials from devices, not hashed data from servers. The data’s scale and freshness make account takeovers likely without 2FA or unique passwords. Act now to secure accounts and devices.

My practices:

I use Apple and LastPas to generate passwords. Here's one I just created in LastPass: cgQyFiJ10nyj4xd&. I gave up trying to make memorizable passwords and started using LastPass about 15 years ago. But those tough passwords force you into using a password manager. I like the integration of Apple's password generator and manager into Mac and IOS, but I stick with LastPass for a lot of other features.

Another approach is to use a long "passphrase" which is a phrase or sentence like "FreeRepublicIsTheGreatestEver." You can toss in a few number/letter substitutions to make it impossible to crack. "FrEeRepublicI$TheGreatestEver". Many people will say never use real words in your passphrase, so sprinkling a few numbers and symbols helps with that.

But the longest, most complicated password in the world doesn't help you if you let malware onto your machines or you fall for "social engineering" attacks and give your password to a stranger.

Use anti-malware scanning software for real-time protection and run scans on your machine regularly. That will keep key loggers off your machine.

Be sure to use Two Factor Authentication everywhere you can.

Be sure to set up SIM Swap Fraud on our mobile carrier account. This secures your mobile account and personal information to stop criminals from transferring your phone number to a SIM card they control.

"Wrong. The companies you do business with have all your passwords stored somewhere in the computers......................"

Not exactly - any competent tech company, especially the ones named in the article, Apple, Google, Facebook, will never store your password. They store a one way hash of your password. So when you login, they compare the hash they have stored, with a fresh hash of the password you are supplying. If they match you are logged in. This means if the database at Apple, Google, Facebook get stolen, the thief gets the hash, but not the password.

It is not foolproof, your password still gets transmitted during login, and if the hash is stolen, you can make guesses to match it. But if you are using unique, hard to guess password, you are probably not at risk of your password being stolen.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.