The largest password leak in history: over 16 billion accounts exposed

Cybernews researchers have reported the most extensive data leak ever recorded — more than 16 billion lines containing logins, passwords, tokens, cookies, and other sensitive information have been found publicly accessible.

The primary source of the breach is malware known as stealers, which extract data from infected user devices. Since early 2025, experts have identified over 30 separate data dumps, each ranging from tens of millions to more than 3.5 billion records. New databases continue to emerge with alarming frequency — sometimes every few weeks — highlighting an intense level of cybercriminal activity.

The datasets follow a similar structure: URL, login, and password, often accompanied by session tokens and cookies. This makes them particularly dangerous for companies that lack multi-factor authentication or internal monitoring systems.

Some datasets are labeled in ways that suggest links to specific regions or services — from Telegram and GitHub to government platforms and tech giants like Apple, Google, and Facebook. One of the largest dumps, tied to the Portuguese-speaking web, includes over 3.5 billion records.

The data was discovered on unsecured Elasticsearch servers and cloud storage buckets, giving researchers temporary access — but not enough to determine whether the leaks were caused by threat actors, researchers, or data aggregators.

Even if just 1% of these credentials are successfully exploited, the consequences could affect millions of users. The risks for businesses and public institutions are also severe — from unauthorized access to internal systems, to phishing, and impersonation of real individuals and organizations.