16 billion passwords compromised, says report; have you changed yours?

A staggering 16 billion usernames and passwords have been exposed in what experts are calling the largest-ever database of stolen credentials. The trove of compromised data includes login details from major platforms such as Apple, Google, Facebook, Telegram, GitHub and even government services, raising alarms over the global state of digital security.

Cybersecurity researchers say the breach stems from a collection of 30 massive datasets, each holding tens of millions to over 3.5 billion records. The information, mostly acquired through infostealing malware, appears to be freshly leaked, with nearly all of the datasets previously unreported except for one earlier disclosure of 184 million passwords by researcher Jeremiah Fowler, according to a new investigation by Cybernews.

“Most of these credentials are structured as URLs followed by usernames and passwords, and they cover virtually every type of online service imaginable,” said Vilius Petkauskas, a Cybernews analyst who has been investigating the leak since the beginning of the year. The scale of this breach surpasses previous incidents, including last year’s so-called “Mother of All Breaches” which exposed 26 billion records.

While it’s unclear whether some of the leaked data might have been repackaged from earlier incidents, researchers insist that this leak is largely new. Lawrence Pingree, vice president at cybersecurity firm Dispersive, explained that such datasets are often circulated and resold on the dark web—sometimes bundled with other leaks, sometimes offered piecemeal. “Whether it’s a repackaged leak or not, 16 billion records is a huge number,” Pingree said. “This kind of data is valuable precisely because it is so often misused.”

The breach underscores how widespread the threat of credential theft has become, with attackers targeting social media platforms, corporate portals, developer tools, and VPN services alike. In response, experts urge users to adopt better security hygiene.

Basic protections include running antivirus scans to detect infostealers, checking dark web exposure via tools like Google One’s “Dark Web Report,” and crucially, using strong and unique passwords for every service.