top of page
Search

16 Billion Passwords Leaked: What You Need to Know About this Mega Breach

  • Jun 30
  • 2 min read

ree

Cybersecurity researchers at Cybernews discovered an unprecedented compilation of over 16 billion login credentials from more than 30 separate data sets in mid‑June 2025. These credentials include usernames, passwords, URLs, session tokens, and cookies.


Important Clarification: This was not a single breach of Apple, Google, or Facebook. Rather, it was a massive aggregation of stolen data some new, some recycled, collected via Infostealer Malware infecting individual devices and abandoned cloud databases.


What is an Infostealer?

Infostealer malware is a type of malicious software designed to secretly collect sensitive information from an infected device, such as login credentials, browser cookies, saved passwords, and session tokens. It often spreads through phishing emails, malicious downloads, or fake software updates. Once installed, the stolen data is silently sent back to cybercriminals, who use it for identity theft, account takeovers, or to compile massive datasets for resale on the dark web.


Affected Services & Platforms

  • Apple (Apple ID / iCloud)

  • Google (Gmail, Google accounts)

  • Facebook & Instagram

  • GitHub

  • Telegram

  • VPN services (various)

  • Developer platforms & government portals

  • Microsoft (Office, Outlook, etc.)

  • PayPal

  • Netflix

  • Discord

 

What's at Risk

Breaches such as this one are a problem for several reasons. The one I am most concerned about is Credential Stuffing. Hackers know that most people have better things to do than make up a hundred different passwords for their various accounts. As a result, most people reuse their passwords.  So, if one of your passwords was exposed from this breach and it is reused on another site, such as your bank account, a criminal could use that exposed password to break into your bank account.  


What You Should Do

  1. Change passwords across the exposed accounts.

  2. Use a password manager to generate strong and unique credentials per site. DO NOT REUSE YOUR PASSWORDS!!!

  3. Enable 2‑factor authentication (2FA) on every platform that will allow it. Using an authenticator app is better than using an SMS text message.

  4. Monitor for suspicious activity and consider dark web monitoring services.

  5. Check “Have I Been Pwned” or similar tools to see if your email appears in the leak.


Stay informed about threats such as this one by subscribing to our YouTube Channel.

 
 
 

Comments

bottom of page