Security researchers have uncovered an enormous password cache comprising 16 billion unique login credentials spanning major platforms such as Apple, Facebook, Google, Telegram, GitHub, VPN services and even government portals—making it the largest credential leak known to date. These credentials were harvested via at least 30 substantial datasets, some containing up to 3.5 billion records, indicating multiple infostealer malware operations operating at a large scale during 2025.
Researchers found that the leaked datasets were transiently exposed in unsecured Elasticsearch and object‑storage instances, allowing brief public access before being shut down. Structures within the datasets included URLs, usernames and passwords, often accompanied by metadata such as tokens or cookies—making them ripe for phishing, credential stuffing and account hijacking.
Analysts emphasise that the data is not a collection of old, recycled breaches: most records appear freshly harvested, enabling cybercriminals to exploit current and valid credentials in automated attacks. As one expert warned: “This is not just a leak – it’s a blueprint for mass exploitation… fresh, weaponizable intelligence at scale”.
Infostealer malware—distributed through phishing links, fake software and compromised websites—has evolved into a pervasive threat under the malware‑as‑a‑service model. Such malware silently extracts browser‑stored credentials, cookies and session tokens before packaging and selling dumps on underground markets.
The consequences are widespread. Cybercriminals can initiate credential stuffing across hundreds of services; craft highly convincing phishing emails; and mount identity theft, ransomware and business‑email‑compromise attacks. Records tied to Apple, Google and Facebook enhance the ease and effectiveness of targeted campaigns.
It remains unclear how many unique users are affected, as overlapping credentials are present across the datasets. With over 5.5 billion internet users worldwide, many may have multiple accounts compromised.
Security experts recommend immediate action. Users should deploy password managers to generate and store unique, complex passwords; enable multi‑factor authentication where available; and transition to passkey-based login systems, especially offered by Apple, Google and Microsoft. Regular system scans for infostealer malware and the avoidance of downloading cracked or unauthorised software are also advised.
Organisations are under pressure to strengthen internal cybersecurity measures, including enforcing MFA, conducting regular training on phishing awareness and credential hygiene, and adopting zero‑trust frameworks. Endpoint protection and proactive threat monitoring have become essential amid this evolving threat landscape.
