TL;DR: Cybernews researchers discovered 30 exposed datasets containing 16 billion login credentials, the largest credential exposure ever documented. The data came from infostealer malware like RedLine, Raccoon, and Vidar, which anyone can rent on the dark web for cheap. Your Apple, Google, Facebook, GitHub, Zoom, and Telegram passwords are probably in there. This isn't one company's breach. It's the entire internet's passwords sitting in misconfigured databases.

Researchers Found a Mountain of Stolen Passwords

Cybernews reporters Aras Nazarovas and Volodymyr "Bob" Diachenko spent months scanning for unsecured Elasticsearch instances and cloud storage. In June 2025, they hit the motherlode: 30 different exposed datasets containing approximately 16 billion credentials.[1]

The largest single dataset held 3.5 billion records and appeared to target Portuguese-speaking populations. Another with 455 million records came from Russia. One dataset of 60+ million records was named after Telegram.[1]

All the data followed the same format: a login URL, username/email, and password. That uniform structure points to one source: infostealer malware.[1]

The databases were only exposed briefly: long enough for researchers to find them, but not long enough to identify who controlled them. Convenient for whoever compiled this data.

Which Services Got Hit

Pretty much everything. The exposed credentials include logins for:[2][3]

  • Apple: iCloud, Apple ID accounts
  • Google: Gmail, Google accounts, YouTube
  • Facebook/Meta: Facebook, Instagram
  • GitHub: Developer accounts, repositories
  • Zoom: Video conferencing logins
  • Twitch: Streaming platform accounts
  • Telegram: Messaging app credentials
  • VPN services: Various providers
  • Government portals: Unspecified agencies
  • Corporate systems: Enterprise logins

A Google spokesperson told Axios this wasn't a Google breach: the credentials were stolen from users' devices via malware.[2] Same applies to Apple, Facebook, and everyone else. The companies weren't hacked. Their users were.

The Infostealer Epidemic

Infostealer malware is the engine behind this mess. These programs silently infect your computer, harvest saved passwords from your browser, and ship them off to criminals. The malware families doing most of the damage: RedLine, Raccoon, and Vidar.[1][3]

Here's the scary part: anyone can buy or rent these tools on dark web forums. No technical skills required. Pay your subscription, get your malware dashboard, start collecting credentials.[1]

Infostealers were behind the Snowflake breach wave in 2024 and 2025 that hit AT&T, Ticketmaster, and dozens of other companies. Criminals didn't hack Snowflake: they used stolen credentials from infostealer infections to log into customer accounts.[1]

This 16 billion credential trove represents what researchers could find in misconfigured databases since January 2025. New massive leaks surface every few weeks.[1]

What Criminals Do With This Data

When you have 16 billion username/password pairs, you don't try to break into one account at a time. You automate.

Credential stuffing attacks use bots to test stolen login combinations across thousands of websites. People reuse passwords, and criminals know this. If your Gmail password works, they'll try it on your bank, your Amazon, your work email.

These attacks are cheap to run and highly effective. Malwarebytes called this dataset "a blueprint for mass exploitation."[3]

Beyond automated attacks, criminals use exposed credentials for:

  • Account takeover: Lock you out, take over your identity
  • Financial fraud: Access banking, payment apps
  • Corporate espionage: GitHub/enterprise logins are gold
  • Phishing setup: Your email becomes their phishing platform
  • Extortion: "We have your password, pay up or else"

What You Should Do Now

Check Have I Been Pwned

Go to haveibeenpwned.com and enter your email addresses. See which breaches you're in. The 16B dataset may not be fully loaded yet, but other infostealer dumps are.

Change Your Passwords

Start with email, banking, and anything financial. Use unique passwords for every site. A password manager makes this actually possible. Bitwarden is free and open source.

Enable 2FA Everywhere

Two-factor authentication stops credential stuffing cold: even if they have your password, they can't log in. Use authenticator apps (not SMS) where possible.

Consider Passkeys

Passkeys replace passwords entirely. Apple, Google, and Microsoft all support them now. No password means nothing to steal. Start with your most important accounts.

More protection steps:

  • Run antivirus scans: Infostealers hide in pirated software, fake Chrome extensions, and malicious downloads
  • Update your software: Patches close the holes malware exploits
  • Audit your browser extensions: Remove anything you don't actively use
  • Delete unused accounts: Fewer accounts means fewer targets
  • Check for unfamiliar devices: Review login sessions in Google, Apple, Facebook settings

This Is the New Normal

Security researcher Volodymyr Diachenko put it plainly: "This is not about the number (though it is scary!), but the scale and rise of infostealers infections these days."[1]

This wasn't one breach. It was 30 datasets compiled from countless malware infections. And only one of those 30 had been previously reported.[1]

Infostealers are a malware-as-a-service industry now. The barrier to entry is low. The payoff is high. And as long as people save passwords in browsers and reuse them across sites, the harvest will continue.

The 16 billion number is what researchers found. The real total is higher.

References

  1. Cybernews - 16 billion passwords exposed in record-breaking data breach
  2. Tom's Guide - 16 billion password data breach hits Apple, Google, Facebook and more
  3. Fox News - 16 billion passwords leaked in massive data breach