Internet users are being urged to change their passwords and bolster their online security after cybersecurity researchers discovered 16 billion login credentials in publicly exposed datasets — a trove that could be used by criminals to hijack everything from social media accounts to email logins.
The revelation comes from researchers at Cybernews, who uncovered 30 separate datasets containing credentials gathered through malicious software known as “infostealers”, as well as from historic data breaches. While many of the records are likely duplicates or already in criminal circulation, the scale of the find is alarming and underscores the persistent vulnerability of personal data online.
The exposed credentials could, in theory, offer access to services including Facebook, Google, and Apple, though none of these companies suffered a new breach. Instead, the data was obtained from third-party sources — typically through malware infections on users’ devices that steal saved logins and passwords directly from browsers or password managers.
Bob Diachenko, a respected Ukrainian cybersecurity expert who led the research, said the records were briefly accessible after being misconfigured on remote servers before being taken down. “It will take some time to assess and contact those affected, because it’s an enormous amount of data,” he said.
Cybersecurity analysts have been quick to caution that this is not the result of a new major data breach, but rather a reflection of how dangerous and widely available previously stolen data remains. Much of the data stems from logs generated by infostealer malware, which can harvest login credentials, session cookies, browsing history, and even saved credit card information.
According to Diachenko, the vast majority of the exposed information — about 85% — appears to be from such infostealer logs, with the remainder coming from older breaches such as the 2012 LinkedIn hack.
The data troves followed a clear structure: URLs, followed by usernames and passwords. The potential for account takeovers, phishing attacks, and identity theft is significant, especially if users have reused passwords across multiple services.
Google, responding to the report, confirmed the leak did not originate from any Google systems, and encouraged users to secure their accounts using tools like Google Password Manager and passkeys, a newer password-free authentication method. Meta and Apple have yet to respond publicly.
Toby Lewis, global head of threat analysis at Darktrace, warned that infostealers remain “very much real and in use by bad actors.” While they don’t directly log into accounts, they “scrape information from browser cookies and metadata,” giving attackers a way around passwords altogether.
Peter Mackenzie, director at Sophos, emphasised that the news serves as a stark reminder of the depth of personal data available to cybercriminals. “There is no new threat here, but it shows how much sensitive information is still floating around. If you haven’t changed your passwords or enabled multifactor authentication, now’s the time.”
Experts recommend that anyone concerned should:
• Immediately change passwords, especially if reusing the same credentials across platforms.
• Enable multifactor authentication (MFA) wherever available, adding an extra layer of security.
• Use a password manager to generate and store unique, strong passwords.
• Check whether personal information has been compromised using services like HaveIBeenPwned.com.
Alan Woodward, professor of cybersecurity at the University of Surrey, called it a good time for “password spring cleaning.” He added: “The fact that everything seems to be breached eventually is why there’s such a strong push toward zero-trust security models, which don’t assume any device or user is inherently safe.”
Cybernews said that although the exposed datasets were quickly taken down and haven’t been widely circulated on public forums, they represent a “blueprint for mass exploitation” and warned that complacency could leave users vulnerable.
In an era where one compromised login can unlock access to emails, financial records, or private conversations, experts agree: staying proactive is no longer optional — it’s essential.
