A staggering 16 billion login credentials have been leaked in what researchers are calling one of the largest and most dangerous data breaches in internet history. The breach, uncovered by cybersecurity researchers at Cybernews, involves over 30 separate datasets containing login information for platforms including Apple, Google, Facebook, GitHub, and various government services across more than two dozen countries.
"This is not just a leak-it's a blueprint for mass exploitation," Vilius Petkauskas, a Cybernews researcher, told Forbes. "These aren't just old breaches being recycled. This is fresh, weaponizable intelligence at scale."
The exposed datasets-each containing tens of millions to over 3.5 billion records-are believed to have been compiled through infostealer malware. This type of malicious software infiltrates user devices and silently collects passwords, cookies, session tokens, and other sensitive credentials. Researchers warn that some datasets include email addresses with .gov domains from countries such as the United States, United Kingdom, Canada, Australia, and India.
"This is fresh, weaponisable intelligence at scale," Cybernews wrote in its June 19 report. "With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing."
Cybernews confirmed that one of the largest datasets appears to consist mostly of Portuguese-language records, but the breach is global in scope. Many users remain unaware that their credentials have been compromised. In a sample of 10,000 records, 220 emails were tied to government accounts, further raising concern about the leak's potential national security implications.
The exposed records affect a wide range of services, including Microsoft, Netflix, Telegram, Discord, PayPal, and Roblox. While there's no evidence that the companies themselves were breached, the stolen credentials may allow unauthorized access if reused by users across platforms.
"These cookies can often be used to bypass 2FA methods," said Aras Nazarovas, a researcher at Cybernews. "Best bet in this case is to change your passwords, enable 2FA if it is not yet enabled, closely monitor your accounts, and contact customer support if suspicious activity is detected."
Cybersecurity expert Steve Weisman added: "The best way to protect yourself is to follow my rule, 'trust me, you can't trust anyone.' Whenever you receive a phone call, text message or email requesting personal information, you can never be sure who is actually contacting you."
Google urged users to upgrade their account security beyond passwords, advising the use of passkeys-biometric-based login credentials stored on trusted devices. "It's important to use tools that automatically secure your account and protect you from scams," the company said.
Facebook and Apple, which have adopted or are expanding support for passkeys, are also encouraging users to shift toward passwordless logins. Niall McConachie, UK director at Yubico, said the breach illustrates why "passwords are just not good enough" anymore. "Device-bound passkey options... offer the highest level of security. They are resistant to phishing attempts and can't be intercepted or stolen by remote attackers."
