The Largest Credential Leak in History: 16 Billion Passwords Exposed

Cybernews has reported one of the largest credential breaches in digital history, revealing over 16 billion login credentials leaked online. These records were discovered across 30 datasets, many originating from infostealer malware. The breach includes usernames, passwords, tokens, cookies, and potentially session data, impacting access to a wide array of services including Facebook, Google, Apple, GitHub, Telegram, and government portals.

Severity Level: High

Incident Details

The exposed datasets appear to have been harvested through infostealer malware, a type of malicious software designed to exfiltrate login credentials, cookies, and session tokens from infected systems. These logs are later aggregated and stored in various locations, including:

• Open Elasticsearch instances
• Unsecured cloud object storage (e.g., AWS S3, GCP Buckets)
• Hacker-controlled or abandoned data-sharing services

Cybernews did not find evidence of targeted breaches on Apple, Google, or Facebook, but credentials associated with login URLs to these services were found in the infostealer logs.

Data Exposed

The breach involved a mix of new and previously unreported data, including:

• URLs + usernames + passwords (in a structured format)
• Cookies and session tokens (used to bypass MFA)
• Account details for nearly every major service
• Possible metadata and device fingerprints

Researchers reported:

• Smallest dataset: ~16 million records
• Largest dataset: >3.5 billion records
• Average dataset size: ~550 million credentials

These records provide sufficient access for account takeovers, phishing campaigns, BEC (Business Email Compromise), and ransomware attacks.

Root Cause

The root cause of this mass exposure stems from a combination of:

• Widespread infostealer infections on poorly protected systems
• Lack of credential hygiene, including reusing passwords across platforms
• Absence of MFA in critical systems, making login data easily exploitable
• Inadequate monitoring and control over cloud storage, leaving databases exposed
• Criminal actors aggregating stolen data into central repositories for sale, sharing, or reuse

Lessons Learned

• The breach highlights that infostealers are now a dominant source of credential exposure, often operating silently on endpoints. Traditional antivirus is insufficient — organizations must deploy behavioral monitoring and endpoint detection that can detect stealthy data exfiltration.
• Even small leaks, when aggregated, can become a mass exploitation platform. This incident proves that fragmented exposures across many infections can compound into global-scale compromise if not proactively monitored.
• The incident also highlights a shift in underground data sharing from Telegram-based distribution to traditional open web databases, indicating a more scalable and industrialized approach by attackers.

Recommendations

1. Cybercriminals benefit from scale over precision: even a 1% success rate with 16B credentials enables millions of compromises. This makes MFA enforcement and credential rotation policies non-negotiable for all enterprise and cloud accounts.
2. Many logs included cookies and session tokens, which can bypass authentication even after password resets. Organizations must ensure session invalidation policies are enforced and not just rely on password changes after compromise.
3. Search for signs of popular infostealers (e.g., RedLine, Raccoon, Vidar) using logs, YARA rules, and IOC feeds across all user workstations.
4. Train staff to recognize spear-phishing attempts that may use breached credentials or metadata to appear legitimate.
5. Conduct awareness programs explaining how seemingly safe software (e.g., fake installers, cracked software) may harbour infostealers.
6. Use credential monitoring services to detect if organizational accounts appear in breach corpuses.

Source:

• https://cybernews.com/security/billions-credentials-exposed-infostealers-data-leak/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.