Cybersecurity researchers have discovered what appears to be one of history’s largest credential exposures, with 16 billion login records from major platforms including Apple, Google, Facebook, Instagram, Gmail, Telegram, and GitHub now circulating online. However, experts are urging caution about calling this a “new breach,” as evidence suggests these credentials were likely compiled from previous incidents rather than fresh cyber attacks.The massive dataset was initially reported by CyberNews researchers who discovered 30 databases containing credentials spanning from tens of millions to over 3.5 billion records each. The data most likely originates from various infostealers, with researchers claiming that most of the information followed a clear structure: URL, followed by login details and a password.
Not a new breach, but still dangerous for users
Despite alarming headlines suggesting a new mega-breach, cybersecurity publication BleepingComputer has clarified that the credentials contained in these databases “were likely circulating for some time, if not for years,” and that there is no evidence to suggest that any of it is new. The data appears to be a compilation of previously stolen credentials from infostealer malware, past data breaches, and credential stuffing attacks.Info stealers are a malware type that collect credentials, crypto and other data after infecting a device, collecting and exfiltrating it for the threat actor. These types of credential collections, known as “combolists,” are frequently assembled by cybercriminals, security firms, or researchers and often contain data dating back years.
Your Facebook, Instagram, and Gmail accounts may be at risk
The leaked databases contain login information for virtually every major online service users rely on daily. Information in the leaked datasets opens the doors to pretty much any online service imaginable, from Apple, Facebook, and Google, to GitHub, Telegram, and various government services. Instagram, Gmail, and other Meta and Google properties are heavily represented in the compilation, affecting potentially millions of users across these platforms.Social media accounts, corporate platforms, VPN services, and developer portals were all included in the massive collection. The sheer scope means that most internet users likely have at least one compromised account represented in these databases, though significant overlap between datasets makes it impossible to determine exact victim counts.
What users should do now
Security experts emphasize that regardless of whether the data is new or recycled, the exposure presents real risks. Combolists like these present a very real risk. They are used for credential stuffing attacks in which threat actors automatically brute force credentials into login pages to try and access accounts.Users should immediately enable multi-factor authentication on all accounts, use unique passwords managed through password managers, and avoid SMS-based two-factor authentication due to SIM-swapping risks. Services like Have I Been Pwned can help users check if their credentials appear in known breaches.While the 16 billion figure is staggering, this incident serves as a reminder of the ongoing threat posed by credential theft rather than evidence of a single catastrophic new breach.
