Over 16 billion login credentials have been exposed online, making this one of the largest data leaks ever recorded. This is not from a single company being hacked. Instead, it is a massive collection of stolen data gathered over time from multiple breaches and attacks. Much of this data was stolen by malware called infostealers and left unsecured in various cloud storage systems.
These huge datasets were found on open platforms like Elasticsearch and other cloud storage services. Although the data was secured shortly after being reported, it was exposed long enough for researchers to analyze. The owners of many of these storage locations remain unknown. This incident highlights how cyber threats are evolving and affecting people and organisations worldwide.
What We'll Cover
Who Found This Massive Data Leak?
Cybersecurity researchers, led by experts from Cybernews, discovered this enormous pile of data. Their work started early in 2025. They found about 30 separate datasets. These datasets ranged in size from tens of millions to over three billion records. Together, the exposed credentials add up to more than 16 billion.
These large datasets were stored on unsecured platforms like Elasticsearch and other cloud storage services. The data was secured soon after being reported, but it was exposed long enough for researchers to study it. Many owners of these storage locations remain unknown.
What Does the Exposed Data Include?
This data is fresh and organised, ready for criminals to use. It mainly comes from infostealer malware. This malware infects devices and collects sensitive information like:
- Login details saved in browsers and apps. Usually formatted as website address, username, and password. This includes email programs, messaging apps like Telegram, and VPN tools.
- Autofill information such as names, addresses, phone numbers, and sometimes credit card details.
- Cookies that let attackers skip passwords and access accounts directly.
- Device information that helps attackers plan further actions.
- Screenshots that capture sensitive information on screens.
- Cryptocurrency wallet details like wallet files and private keys.
The leaked credentials cover many services. These include major companies like Apple, Google, and Facebook. Social media and messaging platforms like Instagram and Telegram are affected. Developer platforms like GitHub, VPN providers, government portals, and business systems are also part of the leak.
How Did the Data Become Public?
Infostealer malware spreads through phishing emails, downloads from unsafe websites, fake ads, or bundled with pirated software. It runs quietly, stealing data and sending it to attackers.
A main reason this data became public is unsecured cloud storage. Criminals keep stolen data in cloud buckets like AWS S3, Azure Blob Storage, or Elasticsearch. These storage locations were sometimes left open because of poor security settings or mistakes. This made it easy for anyone to access the data.
What Are the Risks of This Exposure?
Exposing 16 billion credentials has serious consequences for individuals and organisations.
Cybercriminals use these billions of username and password pairs to try logging into many sites automatically. Since many people reuse passwords, this leads to more account takeovers.
When attackers take over accounts, they can control social media, bank accounts, email, or company systems. This causes identity theft, financial loss, reputational damage, and leaks of sensitive information.
Detailed leaked data also helps criminals create convincing phishing scams. These targeted messages trick people into sharing more data or installing malware.
Leaked company credentials allow business email compromise. Attackers impersonate employees to steal money or confidential information.
Because this data is so big and organised, even low-skilled attackers can launch attacks. This leads to more cybercrime overall.
How Can You Protect Yourself?
For individuals:
- Change passwords immediately on important accounts like email, bank, social media, and cloud storage. Use strong, unique passwords with letters, numbers, and symbols.
- Enable multi-factor authentication wherever possible.
- Use a trusted password manager to create and store unique passwords.
- Be careful with unexpected emails, messages, or links.
- Keep your software and devices updated.
- Monitor your accounts regularly for suspicious activity.
- Use passkeys if available for stronger protection.
For organisations:
- Use tools to detect malware infections on devices.
- Require strong passwords and multi-factor authentication everywhere.
- Train employees regularly about phishing and security.
- Audit cloud storage settings to prevent accidental leaks.
- Monitor the dark web for leaked company credentials.
- Follow zero trust security by verifying every user and device.
The exposure of 16 billion login credentials is a clear warning that cyber threats are everywhere. Individuals and organisations must stay alert and take strong security steps. Cybersecurity is no longer optional. Protecting online identities and data is critical in today’s connected world.
