In what is being called the largest data breach in history, over 16 billion login credentials major online platforms were leaked online. It includes login credentials of social media, VPNs, developer portals and user accounts for all the major vendors.
The leaked data includes login information for a wide range of services, from email and social media platforms like Google, Facebook, and Telegram to developer accounts on GitHub and even some Government portals. Most of the information is organised in a format that shows the website link, followed by the username and password, making it easier for attackers to use.
According to a report published in Forbes, a team of cyber security researchers at Cyber news, led by Vilius Petkauskas, has been investigating this leak since early 2025 and found a huge set of stolen data-potentially affecting just about every major online service. The investigation team found 30 separate data dumps, each containing anywhere from tens of millions to over 3.5 billion records. In total, Petkauskas has confirmed, the number of compromised records has now hit 16 billion.
The leaked data appears to be the result of various infostealer malware attacks - malicious software designed to quietly collect usernames, passwords, and other sensitive data from infected devices.
Password compromise is no joke; it leads to account compromise and that leads to, well, the compromise of most everything you hold dear in this technological-centric world we live in. It’s why Google is telling billions of users to replace their passwords with much more secure passkeys. It’s why the FBI is warning people not to click on links in SMS messages. It’s why stolen passwords are up for sale, in their millions, on the dark web to anyone with the very little amount of cash required to purchase them. And it’s why this latest revelation is, frankly, so darn concerning for everyone.
Security experts are raising alarms about the potential impact. The leaked data can be used for phishing attacks, ransomware infiltration, business email compromise, and large-scale account takeovers. In particular, systems lacking multi-factor authentication (MFA) are at heightened risk, as even basic credentials can grant unauthorised access.
Cybersecurity experts suggest that people act immediately. This includes changing passwords across all major accounts, using strong and unique passwords and turning on two-factor authentication (2FA).
