Cybersecurity researchers have uncovered what experts are calling one of the largest data breaches in history, with 16 billion login credentials exposed across major technology platforms including Apple, Facebook and Google. The discovery was confirmed by researchers at Cybernews, who have been investigating the breach since the beginning of 2025.

The breach consists of 30 distinct datasets, each containing anywhere from tens of millions to over 3.5 billion records, according to the Cybernews report. Only one dataset in the breach, a 184 million-record batch reported by Wired, had been previously reported. The rest represent entirely new data exposures discovered throughout 2025.

The largest dataset, likely connected to Portuguese-speaking populations, contained over 3.5 billion records, while one with 455 million records appeared to originate from the Russian Federation. A second dataset containing over 60 million records was named after the messaging platform Telegram.

The information revealed that most of the data followed a clear structure: URL, followed by login details and a password. Most modern infostealers – malicious software stealing sensitive information – collect data in exactly this way. These programs silently infiltrate computers and systematically harvest login credentials, often without users realizing their systems have been compromised.

The datasets were reportedly stored in misconfigured cloud environments and unsecured Elasticsearch instances, exposing sensitive information in a uniform format. The stolen data is then collected into large datasets and sold in cybercrime underground markets.

Services Affected

Information in the leaked datasets opens the doors to pretty much any online service imaginable, from Apple, Facebook, and Google, to GitHub, Telegram, and various government services. The leaked data spans major platforms such as Apple, Google, Facebook, Instagram, GitHub, Telegram, Netflix, VPN services, and even government portals.

The breach is particularly concerning for cryptocurrency users, as security analysts expect a rise in targeted account takeover attempts using leaked credentials, particularly against custodial wallets or platforms tied to email access.

"This is not just a leak – it's a blueprint for mass exploitation. With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing," researchers said in the Cybernews report.

Security experts urge immediate action. "Choose strong and unique passwords, and implement multi factor authentication wherever possible," said Javvad Malik from KnowBe4.

"The inclusion of both old and recent infostealer logs – often with tokens, cookies, and metadata – makes this data particularly dangerous for organizations lacking multi-factor authentication or credential hygiene practices," the Cybernews team said.

The breach has prompted immediate responses from technology leaders. Tether CEO Paolo Ardoino announced a new open-source password manager, PearPass, after the unprecedented breach. Ardoino wrote: "The cloud has failed us. Again. 16 billion passwords just leaked. It's time to ditch the cloud".

Timeline and Discovery

The breach was discovered through an ongoing investigation that began in January 2025. The discovery, confirmed by Cybernews researchers who began investigating at the year's start, dwarfs a previous May leak of 184 million credentials.

The datasets they found remained exposed only for a brief amount of time: long enough for researchers to uncover them, but not long enough for widespread exploitation. However, it's unclear who owns the exposed datasets, there's little impact users can do to protect themselves beyond implementing strong security practices.

According to the researchers, credential leaks at this scale are fuel for phishing campaigns, account takeovers, ransomware intrusions, and business email compromise (BEC) attacks.

The breach underscores the growing threat of infostealer malware and the critical importance of implementing robust cybersecurity practices at both individual and organizational levels. Most worryingly, researchers claim new massive datasets emerge every few weeks, signalling how prevalent infostealer malware truly is.

The original Cybernews investigation can be found at: https://cybernews.com/security/billions-credentials-exposed-infostealers...