Security researchers have uncovered one of the largest data breaches in history, involving 16 billion login credentials across 30 distinct datasets.
This leak—primarily sourced from infostealer malware—exposes credentials for major platforms including Apple, Facebook, Google, GitHub, Telegram, and government services.
The data is fresh and highly structured, differing from recycled breaches, and creates a “blueprint for mass exploitation,” enabling phishing, identity theft, and account takeovers.
Technical Breakdown of the Breach
Researchers at Cybernews identified 30 datasets exposed via unsecured Elasticsearch instances and cloud storage since January 2025.
Key characteristics include:
| Dataset Feature | Details |
|---|---|
| Total Records | 16 billion |
| Dataset Size Range | Tens of millions to 3.5 billion records per dataset |
| Data Freshness | Newly harvested (not recycled from past breaches) |
| Primary Source | Infostealer malware (e.g., AgentTesla, Lumma, Vidar) |
| Structure | URL + username/email + password format |
| Notable Datasets | 3.5B records (Portuguese-speaking), 455M (Russian-linked), 60M (Telegram) |
Only one dataset (184 million records) had been previously reported; the remaining 29 were newly discovered.
The data’s recency and organization make it “weaponizable intelligence at scale,” with tokens and metadata amplifying risks for organizations lacking multi-factor authentication
Leaked from 320 million computers, but not a new one!
Regarding this report, Alon Gal, CTO at Hudson Rock, talks with Cyber Press that an average infected computer has around 50 sets of credentials.
Given that there are 16 billion credentials, this would suggest that 320 million computers have been infected by infostealers. However, this claim is simply not true, regardless of how one might interpret the numbers.
“The leak is likely the result of a combination of legacy Infostealer credentials, data from older database leaks, and fabricated entries, similar to the ALIEN TXTBASE leak. For instance, the leaked information could include actual lines with slight variations in passwords or logins that can be used for brute-force attacks,” he added.
Some datasets were named generically as “logins” or “credentials,” while others bore specific geographical or service-related identifiers, including one with over 455 million records linked to Russian Federation origins and another containing 60 million Telegram-related credentials.
Global Implications and Mitigation
This breach fuels unprecedented cyber risks:
- Credential stuffing: Attackers use leaked credentials to hijack accounts across services.
- Phishing escalation: AI tools (e.g., deepfakes) leverage stolen data for targeted scams.
- Ransomware pathways: 54% of ransomware victims had credentials in infostealer logs.
Critical steps for protection:
- Immediate password reset for high-value accounts (email, banking, social media).
- Adopt passkeys or password managers to generate unique credentials.
- Enable multi-factor authentication universally to block unauthorized access.
The scale of this breach—equivalent to two credentials per person alive—underscores the critical need for enhanced credential hygiene and corporate security overhauls.
As infostealer malware surges (tripling in 2023–2024), proactive defense is non-negotiable.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=This leak—primarily sourced from infostealer malware—exposes credentials for major platforms including Apple, Facebook, Google, GitHub, Telegram, and government services.){kind=link}