Lithuania: Internet users have been urged to change their credentials and strengthen their online security after researchers uncovered what may be one of the largest collections of stolen login credentials ever identified—an astonishing 16 billion records.
The discovery was made by cybersecurity researchers at Cybernews, who revealed they had found 30 separate datasets comprising credentials collected through malicious software known as ‘infostealers’ and previous data breaches. These troves of data were reportedly exposed online only for a short time but contained login information that could potentially grant access to services like Facebook, Apple, and Google.
Despite the alarming figures, the researchers clarified there was no centralised data breach at any of the major tech companies. Instead, the data appears to have been compiled from historical breaches and malware attacks that silently harvest credentials from infected devices.
Cybersecurity expert Bob Diachenko, who led the investigation, stated that around 85 percent of the leaked information came from infostealers, with the remaining 15 percent tied to past leaks, including the well-known LinkedIn breach. According to Diachenko, the files became briefly accessible due to poor storage practices on remote servers. Though quickly removed, the data was online long enough for researchers to retrieve it.
The data followed a consistent structure, typically starting with a URL and followed by usernames and passwords, making it highly usable for cybercriminals.
Representatives from Apple and Meta (Facebook’s parent company) have yet to comment, but a Google spokesperson confirmed the dataset was not the result of a Google-specific breach. Instead, they advised users to safeguard their accounts using password managers and tools like two-factor authentication (2FA).
Cybernews encouraged users to verify if their credentials were compromised by checking platforms. Experts warn the datasets present a ‘blueprint for mass exploitation, paving the way for identity theft, phishing attacks, and account takeovers. Toby Lewis of Darktrace said the malware behind the leak doesn’t necessarily hack accounts directly but collects sensitive browser data and login cookies.
Peter Mackenzie of Sophos emphasised that while the size of the data is staggering, much of it likely has been circulating in cybercriminal circles already. Still, the research illustrates how accessible this kind of information has become.
A wake-up call for online hygiene
Alan Woodward, professor of cybersecurity at the University of Surrey, likened the revelation to a digital spring cleaning reminder. Alan Woodward stated, “The fact that everything seems to be breached eventually is why there is such a big push for zero-trust security measures.”
While the datasets have since been removed and were only briefly online, researchers warned the exposure still poses risks due to the high quality and scale of the data involved. Only one of the 30 discovered datasets had been previously reported.
As the internet becomes increasingly intertwined with daily life, cybersecurity professionals continue to stress the importance of taking personal responsibility for digital safety. With billions of records potentially at risk, experts say the best defence remains strong, unique passwords, secure storage tools, and vigilant monitoring.
MOST READ | Iran rules out nuclear talks as conflict with Israel escalates
