Recently, a headline from Cybernews attracted a lot of attention online. It said that more than 16 billion credentials had been leaked, in what some are already calling one of the largest data breaches in history. Sounds shocking, right? But the big question is: is this something completely new? Well... almost.
According to the report, a huge collection of login credentials was discovered: 16 billion records spread across 30 new data packages. We're talking about usernames, passwords, cookies, tokens, and other highly sensitive data.
The most worrying thing is where they came from. Everything indicates that this information was stolen using malware specialized in stealing personal data (so-called “info-stealers”) and that it affects a lot of well-known services such as Google, Facebook, Apple, Microsoft, Telegram, among others.
The report also points out something key: this data is not just recycled from previous leaks. It seems that many of these records were collected recently, as part of active campaigns that may still be ongoing.
Although the headlines sound quite alarming, the truth is that this is not a new leak. Most of this data comes from information that was stolen by infostealer malware, probably over the last few years. This type of malicious software infiltrates infected devices and takes everything: usernames, passwords, cookies, and other sensitive data.
What has now been discovered appears to be more of a mega-compilation of many previous thefts. In other words, someone (or several malicious actors) gathered records from thousands of past infections and packaged them into a single giant file. Although this file has been published or made visible recently, most of the information had already been stolen some time ago.
According to researchers, most of the data in this mega leak is a mix of several sources: stolen information, lists of credentials obtained from various previous leaks, and data that was repackaged and mixed together.
It was not possible to make an exact comparison between all the data sets because there is a lot of duplicate and mixed content. In short: it is not possible to know precisely how many people or accounts were affected, but it is clear that many are repeated from one leak to another.
What they were able to identify is that the vast majority of records follow the same pattern: a URL, followed by the username and password. This is the typical format used by information thieves today when they capture data directly from infected devices.
And here comes the worrying part: this information opens the door to all kinds of accounts and services, from super-popular platforms such as Apple, Facebook, Google, and GitHub, to messaging services such as Telegram and even government portals. When you have more than 16 billion records at stake, it's hard for anything to be left out.
Experts warn that leaks like this can fuel all kinds of cyberattacks, including:
Personalized phishing
Account theft
Ransomware intrusions
Attacks targeting businesses and corporate emails (BEC)
And what makes this data even more dangerous is that it includes not only passwords, but also cookies, session tokens, and metadata. That means attackers don't even need your password to break into your account if they have access to your active session.
If a company doesn't have multi-factor authentication (2FA) enabled or doesn't follow good security practices with credentials, it's basically leaving the door open.
Read more: Why are we still falling for phishing attacks in the middle of 2025?
The files discovered by researchers were very varied. The smallest (though not exactly “small”) contained more than 16 million records and was named after a specific piece of malware. The largest, which appears to be related to Portuguese-speaking users, contained an incredible 3.5 billion credentials. On average, each file contained around 550 million records.
Some files had fairly generic names, such as “logins” or “credentials,” which didn't say much about their content. But others did leave clear clues as to which services they were linked to. For example, one with more than 455 million records referred to the Russian Federation, and another file, with more than 60 million, was named Telegram, the cloud messaging app.
Example of a typical data list from a thieves' market (Source: SOCRadar)
These types of records are organized and combined into comprehensive lists that hackers can use in many ways. The most worrying thing is that these records are not only well structured and easy to search, but they also circulate on the internet at very low prices, and are sometimes even shared for free.
And what do attackers use them for? Well, for some pretty serious stuff, such as:
Bypassing two-factor authentication (2FA) using stolen session cookies
Accessing corporate networks or developer tools without raising suspicion
Stealing cryptocurrency wallets or confidential documents
Conducting highly targeted phishing campaigns using technical information about the victim's system or browser
Unlike common password leaks, these records captured by malware often include much more valuable data: active tokens, user environment information, and even digital “fingerprints” of the device (such as unique browser or system settings).
With all this information, attackers can automate attacks and easily tailor them to their target. And when these records are sold in bulk or leaked with labels such as “Google Workspace users” or “financial companies in the US,” the threat becomes even more specific and dangerous.
So, while this data is not entirely new, it remains a real risk that we should not underestimate.
Read more: Top 10 Dark Web Markets
If you suspect that your information may be in one of these huge data compilations (or you simply want peace of mind), there are several things you can do to reduce risks and improve your digital security. Key tips:
Change your passwords, especially if you have reused them on multiple sites. Start with your most important accounts: email, social media, banking, etc.
Enable two-factor authentication (2FA). This adds an extra layer of security that can slow down anyone who has your password.
Use a password manager. These tools generate secure, unique passwords and store them for you so you don't have to remember them all.
Be on the lookout for suspicious emails or messages. If you notice anything unusual in your accounts (such as logins from strange locations or messages you didn't send), act quickly.
Scan your system. It's a good idea to check your computer with up-to-date antivirus or antimalware software, in case you have spyware running without your knowledge.
The most worrying thing about infostealer malware is that it can steal hundreds of credentials from a single infected computer. And it's not just personal passwords: it often also obtains work-related access, which can open the door to corporate systems, internal platforms, or administration panels. And that's the real risk.
Because beyond this latest massive leak, these types of records have been circulating for years on dark web forums, private Telegram groups, and underground markets. They are the fuel behind phishing attacks, credential stuffing (using stolen passwords to access other accounts), and even ransomware.