More than 16 billion passwords leaked: Facebook, Google, Apple accounts are at risk of unauthorized access

Carelessly collecting and storing sensitive information can be just as dangerous as intentionally stealing it, warns a team of security researchers at Cybernews, after they discovered a series of massive leaked data sets containing billions of login credentials from a range of platforms, from social networks to VPN services to internal developer portals.

Closely monitoring web activity since early 2025, the team discovered 30 exposed datasets, each containing anywhere from a few tens of millions to over 3.5 billion records, with a total of over 16 billion exposed credentials, a number that is almost beyond imagination.

Notably, most of these datasets have never been reported before. The only exception is a “mysterious” trove of 184 million records that Wired reported on in May, and that only ranked 20th on Cybernews’ list of discoveries.

The situation reflects the alarming spread of malware that steals login credentials. “This is not just a leak, but a blueprint for mass exploitation,” experts warn.

The one silver lining is that most of this data only exists online for a very short time, long enough for researchers to discover it, but not before they can track down the person behind it. Many of the data sets have been leaked through open repositories, highlighting a serious flaw in current data management.

What do billions of leaked records contain?

According to the research team, much of the data in the leaked files is a complex mix of information stolen from malware, credential stuffing from multiple sources, and previously leaked data repackaged in a new format.

While it's impossible to determine the exact number of users affected since many records may be duplicates, the degree of overlap doesn't diminish the danger of this massive data dump.

It is worth noting that most of the records follow a consistent format: a web URL followed by a username and password, which is a common structure used by modern malware to systematically and easily exploitably collect login data.

With over 16 billion records, these datasets open the door to nearly every popular digital service today, from Google, Facebook, Apple, to GitHub, Telegram, and even government systems.

Researchers warn that this is fertile ground for cybercriminals to launch sophisticated phishing campaigns, ransomware attacks, account hijacking or infiltrating corporate systems via email.

In particular, the fact that the exposed data also included cookies, authentication tokens, and metadata makes the threat even more serious for organizations that have not implemented multi-factor authentication or do not regularly change their login credentials.

Which Data Set Exposed Billions of Login Credentials?

The leaked datasets the team discovered varied in size and origin. The smallest, named after a type of malware, contained more than 16 million records.

The largest, meanwhile, may involve a group of Portuguese-speaking users, amounting to more than 3.5 billion records. On average, each set contains around 550 million login credentials, enough to cause serious consequences if it fell into the wrong hands.

Some of the datasets were given vague names like “login” or “credentials,” making it impossible for researchers to determine exactly what they contained. Others, however, gave clear hints about their origin or purpose.

For example, there’s a 455 million record dataset with a name that suggests a connection to Russia, or another with over 60 million records related to Telegram. Some also point to cloud services, enterprise platforms, or files locked with malware.

What makes this data particularly dangerous, according to the researchers, is that it includes both old and new logs from credential-stealing software, often accompanied by cookies, authentication tokens, and metadata. This poses a serious threat to organizations that do not use multi-factor authentication or do not have a process for protecting login credentials.

What’s worrying is that it’s impossible to determine who’s collecting these data sets. Some may have been collected by security researchers, but most likely by cybercriminal groups, who favor large troves of data to scale attacks like identity theft, financial fraud, and account takeovers. Even a small success rate could lead to millions of potential victims.

In a world where users can’t be sure whether their data has been leaked, basic measures like using a password manager, setting strong passwords, and enabling two-factor authentication (2FA) are essential lines of defense. Regularly scanning your system for malware is also important to keep your personal data out of the wrong hands.

Are Facebook, Google, Apple leaking data?

In theory, there’s no evidence that Facebook, Google, or Apple have been directly breached. But with more than 16 billion logins exposed, or an average of two for every person on the planet, the risk is real.

The fact that the leaked data sets came from multiple sources, with an unknown level of overlap, led some media reports to rush to claim that accounts from tech giants had been compromised, which researchers say is inaccurate.

Bob Diachenko, a prominent security researcher and Cybernews contributor who first discovered the massive leak, clarified: “There is no direct indication that Facebook, Google, or Apple were breached.” However, he also warned that many of the login credentials found in the stolen data sets contained URLs pointing to the login pages of these platforms themselves.

In other words, even though the core systems of these companies have not been compromised, users can still have their information stolen through malware or phishing attacks, and that is a danger that cannot be taken lightly.

Leak of over 16 billion records signals turning point in cybercrime underworld

According to Aras Nazarovas, a researcher at Cybernews, the leak of more than 16 billion records this time is not simply a security incident but it reflects a clear change in the activities of cybercriminals.

Mr. Nazarovas recommends that users should change their passwords immediately, enable 2FA if not already enabled, monitor their accounts regularly, and contact support if anything unusual happens.

This incident is just one in a series of massive data breaches that have rocked the tech world. From the record-breaking 26 billion records leak in early 2024, to the RockYou2024 leak of nearly 10 billion passwords, and the recent national-scale data breach in China, the trend shows that data breaches are not only increasing in scale, but also changing in how they are organized and distributed. It is a clear warning that personal data security is no longer an option, but a requirement.