In what could be one of the largest yet least-publicized cybersecurity breaches in history, researchers from Cybernews have uncovered a staggering 16 billion exposed login credentials scattered across 30 previously unreported datasets. These supermassive troves of personal data—sourced from social media, corporate accounts, developer portals, and even government services—are believed to originate from a combination of infostealer malware, credential stuffing kits, and previously leaked data repackaged by malicious actors.
While only one of these datasets—housing 184 million records—was reported earlier by Wired in May, researchers say most of the data remains largely unknown to the public and security community. The largest dataset alone reportedly contains over 3.5 billion records, with some suggesting links to the Portuguese-speaking web.
“This is not just a leak – it’s a blueprint for mass exploitation. With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing,” said the research team.
Structured for Exploitation
The datasets mostly follow a standard format: URL, login/email, and password—a structure consistent with how modern infostealers operate. Alarmingly, several of these records also include session tokens, cookies, and metadata, making them even more potent tools for attackers, especially for organizations lacking strong multi-factor authentication or robust credential hygiene.
The data was found temporarily accessible on unsecured Elasticsearch servers and object storage instances. While they were exposed just long enough for researchers to analyze them, it remains unclear who originally compiled the datasets. Some names suggest connections to malware operations or specific services, including Telegram, Russian domains, and cloud-based platforms.
The Bigger Threat
Despite some overlaps between datasets, researchers stress that the sheer volume and recency of the information make it a clear and present danger. Given the inclusion of both old and fresh infostealer logs, this breach stands apart from recycled database leaks that typically circulate on forums.
“The inclusion of both old and recent infostealer logs – often with tokens, cookies, and metadata – makes this data particularly dangerous for organizations lacking multi-factor authentication or credential hygiene practices,” the researchers added.
What Can Users Do?
With such a vast scale of exposed data, identifying the exact number of affected users or unique records is nearly impossible. However, cybersecurity experts advise users to take precautionary steps:
- Change passwords regularly, especially for sensitive accounts.
- Enable multi-factor authentication wherever possible.
- Conduct malware scans to detect and remove any infostealers.
- Avoid reusing passwords across services.
A Disturbing Pattern
This breach adds to an alarming series of recent mega-leaks. In early 2024, the Mother of All Breaches (MOAB) exposed over 26 billion records, followed by last year’s RockYou2024 dump of 10 billion passwords. Recent revelations from China also highlighted the exposure of billions of records involving WeChat and Alipay users.
As digital infrastructure scales, so do the threats. And with massive, untraceable datasets continuing to surface, the need for stricter data handling practices, better endpoint protection, and international cybersecurity collaboration has never been greater.
