16 billion passwords from Apple, Facebook, and Google leaked online: what users should do
20 June 2025 08:06
Cybersecurity researchers have discovered one of the largest data breaches in history – more than 16 billion records with logins and passwords. This data is likely to have been collected with the help of infostealers, malware that steals user credentials. This was reported by the Cybernews project research team, "Komersant Ukrainian" reports
During 2025, the Cybernews team found at least 30 datasets, each containing from tens of millions to more than 3.5 billion records. The total amount of stolen data exceeded 16 billion.
None of these leaks have been publicly reported before, except for one mentioned by Wired magazine in May, which involved a database of 184 million records – not even in the top 20 found.
“This is not just a leak – it’s a manual for mass attacks”
Researchers note that the leak is not accidental – it is a real tool for cybercriminals. With access to usernames, passwords, tokens, cookies, and other meta-information, attackers can
- take over accounts (account takeover);
- steal identities (identity theft);
- conduct phishing campaigns;
- carry out BEC attacks (Business Email Compromise);
- launch ransomware.
Of particular concern is that most of the sets contain fresh data, not just compilations of old leaks.
What these 16 billion records contain
According to the researchers, the datasets are dominated by:
- leaks from infostealers (malware);
- the results of credential stuffing attacks (selection of logins/passwords);
- reformatted old leaks.
In most cases, the structure of the records is the same: URL → login → password. This is exactly how modern info-stalkers work.
Among the services mentioned in the databases:
- Apple
- GitHub
- Telegram
- Government services.
Some of the datasets even had names like “logins” or “credentials” or indicated their origin, such as “Telegram”, “Russian Federation”, and “CloudData”.
It’s not the first time major leaks have happened
This is not an isolated leak:
- In 2024, the “Mother of All Breaches (MOAB)” was discovered – 26 billion records.
- In 2023, RockYou2024 was leaked, a database with almost 10 billion unique passwords.
- In 2021, more than 8 billion accounts from various services were leaked to the network.
Who is behind the leak
Unfortunately, the owners of the leaked databases could not be identified. Some of the datasets could have been created by cybercriminals, others by researchers.
However, temporary access through unprotected Elasticsearch servers allowed us to detect the leaks.
What users can do
Since it’s currently impossible to determine whether your data is among the 16 billion records, basic cyber hygiene is the best defense:
- use strong, unique passwords for each service;
- set up two-factor authentication (2FA);
- regularly check whether your account has been hacked;
- scan your computer for malware (especially infostealers).
