Largest-Ever Data Breach Exposes 16 Billion Passwords affecting Users of Apple, Google, Telegram, and more
Largest-Ever Data Breach Exposes 16 Billion Passwords affecting Users of Apple, Google, Telegram, and more
Massive leak affects users of Apple, Google, Telegram, and more; cybersecurity researchers warn of growing risks from infostealing malware
In what is being called the largest data breach in history, over 16 billion login credentials have reportedly been exposed online. The staggering revelation comes from a report by Cybernews, where a team of cybersecurity researchers, led by Vilius Petkauskas, has been investigating the leak since early 2025.
According to their findings, the leaked credentials, usernames, passwords, cookies, tokens, and other sensitive metadata, originated from a combination of cybercriminal activities involving infostealing malware, credential stuffing attacks, and repackaged leaks. The exposed accounts belong to users of major platforms such as Google, Apple, Facebook, Telegram, GitHub, and even government agencies.
The researchers discovered 30 unprotected datasets, some containing more than 3.5 billion records each. These were briefly exposed on unsecured Elasticsearch servers and open cloud storage services. Although the origin of the datasets remains unclear, their availability—even for a short time—was enough to allow threat actors to harvest sensitive information.
Much of the leaked data followed a standard infostealer pattern: URL, followed by username and password. This data format is typically used by malware designed to extract credentials from infected devices and relay them to attackers.
Security experts are raising alarms about the potential impact. The leaked data can be used for phishing attacks, ransomware infiltration, business email compromise, and large-scale account takeovers. In particular, systems lacking multi-factor authentication (MFA) are at heightened risk, as even basic credentials can grant unauthorized access.
Although the datasets likely include duplicate records, their scale means that millions, if not billions, of users may have been affected. Many of the datasets were bluntly labeled “logins” or “credentials,” making them easily identifiable and accessible to malicious actors.
To protect against such threats, experts recommend several urgent steps:
- Use strong, unique passwords for every online account
- Enable multi-factor authentication wherever possible
- Avoid using predictable or commonly known passwords like ‘password’ or ‘12345678’
- Regularly monitor your accounts and consider using tools like Google One’s Dark Web Report to check if your data has been compromised
- Install and routinely run trusted antivirus software to detect infostealing malware
This breach serves as a harsh reminder that cybersecurity is no longer just a technical issue, it’s a shared responsibility. Users, companies, and institutions alike must stay vigilant and adopt robust digital hygiene practices to mitigate the growing risks in today’s interconnected world.
