Cybersecurity researchers have discovered what may be the largest data breach in internet history, with over 16 billion passwords and login credentials leaked from major platforms such as Apple, Google, Facebook, Telegram, GitHub, and various government sites.
The breach, reported by Cybernews, on Thursday, June 19, involves 30 separate datasets, some with more than 3.5 billion records each, largely harvested using infostealer malware.
These leaked records include usernames, passwords, access tokens, and session cookies, allowing for mass automated attacks across countless websites.
“This is not just a leak, it’s a blueprint for mass exploitation,” a Cybernews researcher warned.
The breach’s scale is staggering. One dataset alone holds 3.5 billion records, while others target specific populations, such as 455 million records linked to Russian users and 60 million tied to Telegram.
Researchers estimate that with 5.56 billion internet users globally, many individuals likely have multiple compromised accounts.
Unlike older breaches, such as the RockYou2024 leak or the so-called “Mother of All Breaches” in 2024, most of the exposed data appears to be fresh, making it more dangerous. Only one of the 30 datasets, containing 184 million records, had been previously reported.
The origin of the leak is unclear, but researchers believe it was compiled from exposed Elasticsearch and cloud storage systems.
READ ALSO: Data Abuse: Nigerian govt slams N330bn fine on Facebook, WhatsApp owners
The structured format of the data makes it ideal for credential stuffing, a hacking method used to hijack user accounts, commit fraud, and launch targeted phishing campaigns.
“This is a wake-up call for everyone, individuals, businesses, and governments,” said Vilius Petkauskas of Cybernews. “The fragility of our digital identities is on full display.”
Experts are urging users to take immediate action by changing all passwords, enabling two-factor authentication (2FA), and using password managers.
While companies like Google are advocating for passkeys as a safer alternative to passwords, others, such as Apple and Facebook, have yet to comment publicly on the breach.
Cryptocurrency users are also being warned, as compromised credentials could result in digital wallet theft and financial losses.
With billions of credentials now in the hands of bad actors, the global cybersecurity community is on high alert.
Experts are warning of an expected rise in ransomware, phishing, and identity theft, urging organisations to audit systems regularly and adopt stronger authentication protocols.
The full extent of the damage may take months to uncover, but the breach serves as a grim reminder of how vulnerable digital life has become in today’s hyperconnected world.