Cybersecurity professionals have discovered a series of exposed datasets which contain 16 billion credentials obtained by infostealers, but those that practice good password hygiene should be safe.
There’s probably at least one person in your life, perhaps it’s you, that periodically reminds their family of the importance of proper password hygiene. The eye rolls and annoyed dismissals are expected, but the latest data breach may be enough to inspire some motivation.
According to research conducted by a cybersecurity team at Cybernews, 30 datasets containing over 16 billion stolen credentials appeared briefly online. The researchers haven’t been able to discover who owns the dataset, but it’s a massive breach that makes most others pale in comparison.
Each of the 30 datasets contains between tens of millions to 3.5 billion credentials. These datasets include a URL, login, and password.
Of course, there is some overlap between different datasets, so there’s no definitive way to estimate exactly how many individuals were affected. The largest database of 3.5 billion records seemed to be from Portuguese-speaking populations, while 445 million records were Russian.
Individual apps and services were all over the logins, from Apple to Telegram, Facebook, and more. Specifically, at least 60 million records were for Telegram.
The datasets seem to originate from malware and datastealers. These can operate on an individual’s device or on the website itself, so there’s not really a specific entity to blame.
Basic digital hygiene will save you
This incredible data breach shows how sophisticated bad actors have become. However, it is important to realize that we’re more than a decade past user names and passwords as the only login method.
First, users must, and I can’t emphasize this any more, but it’s important, must use a password manager. We’re well beyond it being a simple and convenient utility — it’s a lifeline.
Whether you’re using iPhone or Android, Windows or Mac, or even Linux, there are options to store and manage your passwords. These tools, like Apple’s Passwords app, will warn you of repeated credentials and link you directly to the website to change them.
Paid services, like 1Password or Dashlane, take it further by warning users when their logins appear in known breaches. Apple Passwords does this too, but paid services may have a wider reach or more detailed reporting.
For most, the built-in password manager for whatever device you’re using should be more than enough. But the reason I mention password managers isn’t for the storage, it’s for the functionality.
Every single password you save should be unique, period. My password manager shows 429 unique passwords, each of them randomly generated by Apple.
Second, set up two-factor authentication for every account that offers it. SMS isn’t really a good option thanks to SIM swapping attack vectors, but it’s better than nothing.
If an app offers 2FA via a code generator tool, Apple Passwords can generate those codes too. If it offers a QR code, press and hold on it to open it in Passwords, or copy the manual code and paste it into a field in the Passwords app.
Once you’ve got these set up in your password manager of choice, you’ll be able to log into everything using Face ID or Touch ID. No need to know your credentials.
Users can take this even further by using Apple’s Hide My Email function when creating accounts. The feature is meant to help keep spam from piling up in your main inbox, but it serves a second purpose by making it harder for hackers to associate your accounts with each other.
Finally, there’s a new way to protect your data online called passkeys. These rely on a hardware device, which is usually protected by biometrics.
Set up passkeys wherever they are available, and they will replace the username and password entirely. Some apps use them as a kind of 2FA, which is silly, but it is still better than not having the option.
Passkeys basically replace your username and password with your hardware device and biometric. It’s a rock-solid way to lock down an account.
Of course, in the most extreme cases, you can set up security keys where a physical device like a USB drive acts as a physical 2FA device. Users can set this up for their Apple Account if they’re worried about a hack, but that should be reserved for political persons, public figures, and those expecting targeted attacks.
The 16 billion credential leak is likely being used to devise phishing schemes that will reveal more user data. Remember, the weakest part of anyone’s security is the human element.
Never open a link from an unknown number or email, and never give someone personal details over the phone unless it is a verified number or one you dialed personally. When in doubt whether an email or text is real, go to the browser and log in to the account manually instead of clicking the link.
Apple actually makes managing unknown texts, calls, and other scam vectors easier in iOS 26. Calls and texts from unknown numbers are automatically moved to a new section in the Phone or Messages app.
Basic internet and password hygiene can go a long way in thwarting criminals. And while some of this can take time to set up, once it’s all running, you should never have to think of a username or password again, even when there is a breach.
