Researchers from Cybernews have stumbled upon what might be the second largest data breach in history. Containing over 16 billion username and password combinations, the newly found massive database is dwarfed only by a 2024 data breach that contained 26 billion logins.
One might be tempted to think these databases contain old, irrelevant information. They might even overlap to some degree. However, the researchers at Cybernews say the data isn’t just old data resurfacing online from time to time. It’s still relevant to attackers.
The databases contain additional elements beyond logins, including cookies that might let hackers access accounts even after you think you’ve secured them.
Hackers conduct malware campaigns all the time, looking to steal sensitive personal information, such as credentials for apps and services. They use those logins to extract more information, steal money, and obtain other benefits. Hackers will also try the same username and password combination on multiple websites, as some internet users recycle their logins.
A few weeks ago, we saw a database containing over 184 million records exposed online. Cybernews now says that database is part of the massive collection they’ve just discovered. The 16 billion login credentials are spread across 30 separate databases that were accidentally left exposed online. That’s how the security researchers found them.
The largest database contained 3.5 billion records. Smaller ones had tens of millions of username/password combinations.
Except for the 184 million database from May, none of these databases were previously seen.
Cybernews says the databases contain information from different types of attacks. Some originate from infostealer malware, malicious programs that steal information from users after they’re fooled to install malware software on their PCs.
Credential stuffing is another source of data. That’s when hackers use your Netflix password to sign into an Apple or Facebook account tied to the same email address. Such attacks are possible if you reuse the same password and don’t employ additional protection such as two-factor authentication (2FA).
The 16 billion database also contains information from previous leaks.
The researchers didn’t have time to determine how many people were compromised. Also, it’s unclear who owns the databases. But they say the danger is massive nonetheless.
Given the number of exposed credentials, even a small success percentage would give hackers access to millions of accounts.
“This is not just a leak – it’s a blueprint for mass exploitation. With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing. What’s especially concerning is the structure and recency of these datasets – these aren’t just old breaches being recycled. This is fresh, weaponizable intelligence at scale,” researchers said.
Cybernews says the information in the database “opens the doors to pretty much any online service imaginable, from Apple, Facebook, and Google, to GitHub, Telegram, and various government services.”
What you can do
If you’re worried about some of your most sensitive accounts being exposed to hackers, you can always change your password. Choose a strong, unique password and use a password management app to save it. Rinse and repeat for each internet service you might own.
You should also sign out of all the places you might be logged into before changing your password.
Set up passkeys where you can and enable 2FA.
However, if you do all that, hackers can still steal your data if you have infostealer malware on your computer. Use antivirus software on your computers, and don’t click on anything you receive via email or instant messaging. Anything that looks suspicious should not be opened. Don’t let your curiosity help hackers install infostealing malware on your computer.
