Security experts have noted that the data set is not simply a rehash of old leaks
A colossal data breach has exposed more than 16 billion passwords online, in what is being described as one of the most extensive security leaks in internet history. According to reports by Cybernews and Forbes, the breach poses a severe threat to millions of users globally, heightening the risk of phishing attacks, identity theft, and account takeovers.
Security experts have noted that the data set is not simply a rehash of old leaks. Instead, it comprises largely new and systematically organised credentials, many of which were gathered using infostealer malware — malicious software designed to silently extract usernames and passwords from infected devices. The stolen information spans a wide range of platforms, including email providers, social media networks such as Google, Facebook, and Telegram, as well as developer services like GitHub and even government portals.
The format of the leaked credentials, which often includes the website URL followed by username and password, makes it remarkably easy for cybercriminals to exploit. Experts have labelled the breach a “blueprint for global cybercrime”, pointing to the ease with which the data can be weaponised. Approximately 30 massive data sets have been compiled, collectively accounting for over 16 billion unique login credentials.
What amplifies the concern is how accessible the stolen data has become. Researchers warn that individuals with minimal technical expertise and limited financial resources can now purchase these credentials on dark web forums, placing both ordinary users and high-profile institutions at risk.
In response, Google has reiterated its recommendation to move away from traditional passwords in favour of more secure alternatives such as passkeys. The FBI has also issued guidance urging the public to avoid clicking on suspicious links received via email or SMS, particularly those requesting login credentials.
Cybersecurity professionals are advising immediate action: users should update passwords across major accounts, employ strong and unique combinations, activate two-factor authentication, and consider using password manager apps. Additionally, dark web monitoring tools can help individuals determine whether their credentials have been compromised in known breaches.
