In a staggering revelation that has sent shockwaves through the cybersecurity world, researchers have uncovered what is believed to be the largest credential leak in internet history. More than 16 billion login records—spanning usernames, passwords, session cookies, authentication tokens, and autofill data—have been exposed online, affecting virtually every major digital platform, including Facebook, Google, Apple, TikTok, Telegram, GitHub, and even government and VPN services.
The breach was revealed by the cybersecurity team at Cybernews, which conducted a months-long investigation between January and June 2025. During that time, they identified more than 30 separate datasets left accessible via unsecured cloud storage systems. Most of these were misconfigured Elasticsearch databases or object storage instances—cloud environments that lacked the basic protections to restrict public access.
The exposed databases varied in size from 16 million to as many as 3.5 billion entries, with an average of 550 million records per dataset. In total, the findings revealed a combined 16 billion unique credentials and sensitive authentication data, making it the most expansive exposure of personal login information ever documented.
What makes this discovery even more disturbing is the nature of the data itself. These are not just usernames and passwords. Many of the entries included session cookies and authentication tokens—items that can allow an attacker to bypass login credentials altogether and directly access user accounts. One particularly notable unsecured cloud instance contained over 184 million login credentials, primarily from social media platforms such as Facebook and Snapchat.
Although the ownership of many of these datasets could not be definitively determined, forensic indicators strongly suggest that a large portion of the data was harvested through infostealer malware—small, stealthy programs designed to silently extract sensitive information from infected devices. Among the malware strains believed to be responsible are some of the most well-known in the cybercriminal ecosystem: RedLine, Raccoon, and Vidar.
These malware programs are particularly dangerous because they operate quietly and efficiently. Once installed on a victim’s computer, they scan browsers for saved passwords, scrape autofill information, extract session cookies, and even retrieve stored credit card data or cryptocurrency wallet details. This information is then compiled into databases and sold on the dark web or used directly for account takeovers, identity theft, and fraud.
The way the data is structured in these exposed datasets also supports the malware theory. Much of it is categorized by website URL and includes matching username-password pairs—classic signs of output from infostealer tools. While some of the data matches entries from previously known breaches, cybersecurity experts noted that a significant portion appears to be new, never-before-seen records, raising concerns about ongoing, undetected cyber incidents.
Even more alarming is the fact that researchers found this data simply by scanning the internet—no hacking or advanced intrusion techniques were needed. The databases were publicly accessible, left open to the web due to poor configuration practices and a lack of security awareness. This highlights a critical weakness in today’s cloud-based infrastructure: human error remains one of the most persistent and damaging vulnerabilities.
This exposure illustrates a growing problem in the digital age. As more companies move operations to the cloud, the responsibility to secure that data becomes increasingly vital. Yet, time and again, we see major breaches caused not by sophisticated attacks, but by simple misconfigurations—servers without passwords, databases without encryption, storage systems with open permissions.
The consequences of this breach could be far-reaching. With 16 billion pieces of login data now potentially in the hands of cybercriminals, millions of individuals and organizations are at risk. Personal accounts may be compromised, corporate systems infiltrated, and sensitive government portals targeted. The potential for fraud, extortion, and widespread disruption is enormous.
Cybercriminals are already skilled at leveraging even small amounts of stolen data to conduct spear-phishing attacks, deploy ransomware, and engage in financial scams. With access to such a massive volume of credentials, they can automate credential stuffing attacks, where stolen usernames and passwords are used en masse to attempt logins on multiple services, banking on the fact that many users reuse passwords across platforms.
This breach should serve as a critical warning for both consumers and organizations. Individuals are urged to adopt stronger security habits immediately:
- Use strong, unique passwords for each account.
- Enable multi-factor authentication (2FA or MFA) wherever available.
- Regularly check if your email or credentials have been exposed in known breaches using tools like Have I Been Pwned.
- Avoid saving passwords in browsers and consider using a reputable password manager.
For businesses, the implications are just as serious. Organizations must take immediate steps to audit their cloud configurations, restrict public access to sensitive databases, enforce encryption standards, and monitor systems for unauthorized access or suspicious activity. Endpoint protection tools that can detect infostealer malware before it exfiltrates data are more important than ever.
There is also a strong call for platform providers and cloud services to offer more secure default settings, clearer alerts, and better user education for developers and admins who may not fully understand the risks of leaving a database open.
While the true extent of the damage may not be known for months—or even years—it is clear that the exposure of 16 billion login records represents a seismic event in the cybersecurity world. It also reinforces a hard truth: the more we rely on interconnected services, the more vigilant we must be about protecting access to them.
If cybersecurity researchers were able to uncover this data, so too can hackers, scammers, and nation-state actors. In a digital landscape where access equals control, leaving billions of credentials exposed online is not just an oversight—it’s a global security crisis.