What did cybersecurity researchers discover about login credentials?

Cybersecurity researchers discovered a collection of 16 billion login credentials across 30 massive datasets. The collection, uncovered by the Cybernews research team in an ongoing investigation that began at the start of 2025, represents a level up from any previous password leaks.

How large were the individual datasets in this discovery?

The investigation revealed 30 exposed datasets containing from tens of millions to over 3.5 billion records each. The largest single dataset contained over 3.5 billion records, most likely related to Portuguese-speaking populations.

What are some of the notable datasets by size and region?

Significant datasets included the largest with over 3.5 billion records related to Portuguese-speaking populations, over 455 million records from the Russian Federation, and over 60 million records related to Telegram.

Which major online services are affected by this credential collection?

Services listed in the collection include Apple, Facebook, Google, Microsoft, Netflix, PayPal, Amazon, GitHub, and Telegram. The information opens doors to pretty much any online service imaginable, including social media platforms, VPN services, developer portals, corporate platforms, financial services, and government systems.

Are government systems affected by this credential discovery?

Yes, 220 email addresses associated with .gov domains were discovered in sample data, indicating that government systems and personnel may be affected by this massive credential collection.

Is this data from previously known breaches?

The datasets apparently contain almost entirely new data. Almost none of the exposed datasets were reported previously, making this discovery particularly significant for cybersecurity professionals and affected users.

How could cybercriminals use this 16 billion credential collection?

Using this collection, cybercriminals can combine and test credentials across many platforms, try out variations, or check for newer versions of passwords. The breach will be used for account takeover, identity theft, targeted phishing, or exploitation of vulnerabilities that were invisible without successful login.

What should users do to protect themselves from this credential exposure?

The best options for users are to ensure multi-factor authentication (MFA) enforcement on most or all platforms they use and check their computers for malware and infostealers by scanning with a couple of reputable antimalware tools.

Why is this discovery considered unprecedented?

This discovery is unprecedented due to its massive scale of 16 billion credentials across 30 datasets, with individual datasets containing up to 3.5 billion records each. The researchers describe it as 'a level up from any previous password leaks,' and the fact that it contains almost entirely new, previously unreported data makes it particularly significant for global cybersecurity.

Incident

Massive infostealer collection published, lists 16 billion credentials

Q: How were these massive datasets exposed?

All datasets were exposed briefly, and most were temporarily accessible through unsecured Elasticsearch or object storage instances. The researchers didn't find who was controlling these massive amounts of data.

published: June 19, 2025

Take action: Since this collection is simply too large to ignore - 16 billion credentials, it's quite possible that some of your credentials are there - even if they are old. Immediately enable multi-factor authentication (MFA) on all your important accounts - especially email, banking, and work systems. Run a full malware scan on all your devices using reputable antivirus software to check for infostealers. It may seem superfluous, but better safe than sorry.

Learn More

Cybersecurity researchers have discovered a collection of 16 billion login credentials across 30 massive datasets. The collection, uncovered in an ongoing investigation by the Cybernews research team that began at the start of 2025, is a level up from any previous password leaks.

The investigation revealed 30 exposed datasets containing from tens of millions to over 3.5 billion records each, with the largest single dataset containing over 3.5 billion records most likely related to Portuguese-speaking populations.

Other significant datasets included over 455 million records from the Russian Federation and over 60 million records related to Telegram. The scale of the collection makes it extremely difficult to assess how much overlap exists between the datasets, making it impossible to determine the exact number of unique individuals affected.

The collection is a mix of files from infostealer malware, credential stuffing sets, and previous repackaged leaks. Researchers determined that a significant number of records follows the structure of infostealers: URL, username, password.

All of the datasets were exposed briefly, so the researchers didn't find who was controlling this collections amounts of data. Most of the datasets were temporarily accessible through unsecured Elasticsearch or object storage instances.

Information in the leaked datasets opens the doors to pretty much any online service imaginable, from Apple, Facebook, and Google, to GitHub, Telegram, and various government services.

The breach contained credentials for

social media platforms,
VPN services,
developer portals,
corporate platforms,
financial services,
government systems.

Services listed in the collection are Apple, Facebook, Google, Microsoft, Netflix, PayPal, Amazon, GitHub, and Telegram, with 220 email addresses associated with .gov domains discovered in sample data.

The datasets apparently contain almost entirely new data, almost none of the exposed datasets were reported previously.

Using this collection, cybercriminals can combine and test credentials across many platforms, and even try out variations or check for newer versions of the passwords. A breach will be used for account takeover, identity theft, targeted phishing or exploitation of any vulnerabilities that were invisible without a successful login.

At this moment, the best option for users is to ensure MFA enforcement on most or all of the platforms they use, and check their computers for malware and infostealers (scanning with a couple of reputable antimalware tools).

Massive infostealer collection published, lists 16 billion credentials