An unprecedented data breach has compromised approximately 16 billion login credentials, impacting tech giants like Apple, Google, Meta, as well as platforms such as Telegram, GitHub, and even government services. The discovery, announced on June 19, 2025, by Cybernews researchers, is considered the largest data breach ever recorded. The data, organized into 30 distinct datasets ranging from tens of millions to 3.5 billion records each, was briefly exposed on the internet. Experts warn that the information may be circulating on the dark web, increasing risks such as identity theft, financial fraud, and phishing attacks. The severity of the incident prompted Google to recommend immediate password changes and the FBI to issue warnings against malicious SMS links.
The scale of the leak is so vast that it equates to roughly two accounts per person on the planet, though it’s unclear how many users or accounts were directly affected. The data includes URLs, logins, and passwords, structured to facilitate automated cyberattacks. Unlike previous incidents that often recycled old information, many of these credentials are recent, collected by infostealer malware.
The case has garnered global attention, with cybersecurity authorities and tech companies on high alert. Below, we detail the key aspects of the leak, its implications, and recommended protective measures.
Origin and scale of the breach
Cybernews researchers have been tracking the leak since early 2025, identifying 30 datasets with staggering volumes. The largest, possibly linked to Portuguese-speaking populations, contains over 3.5 billion records, while the smallest includes 16 million. The data’s structure, with URLs, logins, and passwords, suggests collection by infostealers, malware designed to extract credentials from infected devices.
These malicious programs operate silently, capturing information stored in browsers, such as saved passwords and authentication cookies. Additionally, techniques like credential stuffing—testing stolen credentials across multiple sites—and restructured older leaks contributed to these datasets. The lack of clarity about the perpetrators heightens concerns, as the data may have been accessed by various criminal groups before detection.
Affected platforms
The exposed credentials span a wide range of online services, compromising user security worldwide. Affected platforms include:
- Social media: Facebook, Instagram, and other Meta platforms.
- Email and search services: Google, including Gmail and YouTube.
- Apple ecosystem: iCloud, App Store, and other Apple ID-linked services.
- Messaging and development: Telegram and GitHub.
- Government services: Public sector portals, though unspecified.
The inclusion of government services is particularly concerning, as it may compromise sensitive citizen and institutional data. The lack of details about affected portals hinders local impact assessments.
Mechanisms behind the leak
The leak’s sophistication lies in the combination of methods used to collect data. Infostealers, for instance, infiltrate devices through malicious emails, compromised websites, or infected apps. Once installed, they log everything from typed passwords to screenshots.
Another factor is credential stuffing, a technique using bots to test stolen credentials on various platforms. Since many people reuse passwords, a compromised login on a less secure site can unlock more critical accounts, like emails or banking services.
Researchers also note that the data’s accessible format—with URLs, logins, and passwords aligned—indicates a deliberate effort to facilitate exploitation. This structure suggests cybercriminals aimed to maximize the leak’s impact, turning it into a tool for large-scale attacks.
Risks for users
The exposure of 16 billion credentials poses a significant threat to individuals and businesses. Key risks include:
- Identity theft: Criminals can impersonate victims in fraudulent transactions.
- Unauthorized access: Email, social media, and financial accounts are vulnerable.
- Financial fraud: Banking credentials may be exploited for unauthorized transfers.
- Targeted phishing: Fraudulent messages, like SMS with malicious links, become more convincing with personal data.
- Extortion: Sensitive data can be used for blackmail.
Businesses also face severe consequences, including loss of customer trust, legal penalties, and financial losses from ransomware or corporate breaches.
Response from tech companies
Google was among the first to respond, urging users to update passwords immediately. The company also emphasized enabling two-factor authentication (2FA), which adds an extra security layer by requiring a code or additional device for login.
Meta, which owns Facebook and Instagram, has yet to issue a detailed statement but faces pressure to clarify its platforms’ exposure. Apple has been promoting passkeys, a technology replacing traditional passwords with cryptographic keys stored on devices, such as facial or fingerprint recognition.
Experts note that passkeys could reduce reliance on passwords, but adoption remains slow. The expectation is that most online services will support this technology within three years.
Recommended protective measures
Given the leak’s severity, cybersecurity experts recommend immediate actions to minimize risks. Practical steps include:
- Updating passwords for all accounts, prioritizing critical services like emails, banks, and social media.
- Using unique, complex passwords, ideally generated by password managers.
- Enabling multi-factor authentication (2FA) on all supported services.
- Monitoring for suspicious activity, such as unsolicited emails or messages.
- Checking if credentials were exposed using tools like Have I Been Pwned.
Additionally, users should avoid clicking links in unsolicited SMS or emails, as cybercriminals may use leaked data for highly personalized scams.
Threats on the dark web
Though the data was exposed briefly, experts believe it’s already circulating in dark web forums. These platforms are used by hackers to buy, sell, and trade stolen information. The sale of credentials could fuel a wave of cyberattacks, from account takeovers to ransomware campaigns.
Tracking the perpetrators remains challenging, complicating efforts to mitigate damage. Agencies like the FBI are ramping up warnings about phishing scams, which typically surge after such incidents.
Emerging security technologies
The leak underscores the need for alternatives to traditional passwords. Passkeys, adopted by Apple and Google, use biometric authentication or local encrypted codes, eliminating password memorization.
Another rising solution is zero-trust authentication, requiring continuous identity verification, even after initial login. This approach is particularly valuable for businesses protecting corporate data.
Global cybersecurity landscape
The 2025 incident is not isolated. In 2024, the RockYou2024 file exposed nearly 10 billion passwords, though most were outdated. The current leak, with fresh data, raises the stakes.
Data protection authorities in Europe and beyond are evaluating potential sanctions against affected companies if security lapses are identified. In Brazil, the General Data Protection Law (LGPD) could apply if Brazilian citizens’ data is confirmed compromised.
Vulnerable sectors
Beyond individuals, sectors like cryptocurrencies face specific risks. Many digital wallets rely on passwords linked to email or cloud services, which may be exposed. Experts recommend storing seed phrases offline in physical formats to prevent losses.
Tech companies are also reviewing their security infrastructures. Misconfigured cloud environments, for instance, are flagged as potential vulnerabilities hiding other compromised datasets.
