One of the Largest Credential Dumps Ever Seen
A massive leak containing over 16 billion login records has been exposed, and the scope is staggering. According to an exclusive report from Cybernews, the breach includes credentials for major services like Facebook, Google, Telegram, GitHub, and even sensitive corporate and government websites. The source? A toxic mix of infostealer malware logs, credential-stuffing tools, and previously leaked datasets repackaged into a massive collection.
Cybernews researchers said:
They warned that the scale of access available to cybercriminals is unprecedented, opening the door to account takeovers, identity theft, and highly targeted phishing campaigns.
How Info-Stealers Pull Off Mass Data Theft
Info-stealer malware is one of the fastest-rising cyber threats today. Unlike traditional keyloggers, info-stealers silently scan infected devices for stored passwords, autofill data, cookies, and browser history. They send all of it directly to hackers, who then either sell or compile the data for malicious use.
The 30 datasets discovered by researchers ranged from tens of millions to over 3.5 billion records each, averaging 550 million credentials per dataset. The data was temporarily exposed online via unsecured cloud storage, where it was scraped and preserved before takedown.
The attackers remain unidentified, but the ramifications are global—this leak spans nearly every corner of the internet.
No Comments from Tech Giants
Meta (Facebook), Google, and GitHub have not issued any public responses. The silence from tech giants has only deepened concerns, as millions of users are likely unaware that their credentials could now be in circulation.
The breach is not isolated. In May, Coinbase revealed that a December cyberattack had compromised over 69,000 users, with hackers later demanding a $20 million Bitcoin ransom. Coinbase refused, launching a $20 million bounty instead.
Coinbase stated at the time:
Who’s Most at Risk from This Leak?
While high-profile platforms were affected, cybersecurity experts say small websites and everyday users are the most vulnerable. Many sites don’t automatically reset passwords when breaches are discovered, and people frequently reuse passwords or simple variants, making them prime targets.
That puts millions of users at immediate risk, especially those without multi-factor authentication (MFA) or basic cyber hygiene.
How to Stay Safe
Despite the scale of the breach, experts emphasize that tools like 2FA and passkeys can shield users from most attacks.
Two-factor authentication apps like Google Authenticator or Microsoft Authenticator require an extra verification step, such as an SMS code or facial ID, making stolen credentials far less effective.
Meanwhile, passkeys are gaining ground as the next generation of login protection. Unlike passwords, they generate cryptographic keys stored only on a user’s device, and they work exclusively with the site or app they were created for. These new tools are now being adopted by Google, Microsoft, and Apple, as the industry looks to finally phase out passwords altogether.
