A massive leak of 16 billion login credentials has been confirmed, including usernames and passwords associated with major platforms such as Apple, Facebook, Google, and numerous others. Researchers say this may be the largest password leak in history, with datasets never seen before, raising serious alarms for users and businesses worldwide.

 

This shocking event is not just about a few leaked passwords. It’s a clear sign that cybercriminals are working together, using advanced tools called infostealers to collect login data from millions of people across the internet. And now, that stolen data is floating around on the dark web, ready to be bought, sold, or misused.

 

What happened?

 

This story first came to light on June 18, 2025, but was updated on June 22 to reflect more details from cyber security experts and researchers. The leaked data appears to be the result of multiple attacks by infostealer malware tools that secretly collect usernames and passwords from infected computers and send them to criminals.

 

Cybernews researcher Vilius Petkauskas shared that at least 30 separate datasets, each containing tens of millions to over 3.5 billion records, were discovered. The final number? A jaw-dropping 16 billion leaked credentials.

 

According to security expert Lawrence Pingree from Dispersive, even if some of these datasets were repackaged or duplicated, there is no doubt that this is an enormous leak. “Credentials can be misused and are misused, that’s what makes them valuable,” he said.

 

Which platforms are affected?

 

The data includes login credentials tied to:

 

• Apple
• Facebook
• Google
• GitHub
• Telegram
• VPNs
• Developer platforms
• Government portals

 

These credentials were stored in URL-password formats, making it easy for hackers to target specific services. Bob Diachenko, a leading cyber security researcher, confirmed that no centralized breach occurred in these companies. Instead, the passwords were stolen through malware, which collected login details from users and their browsers.

 

In other words, Apple, Google, and Facebook were not directly hacked, but millions of people who logged into these sites using infected devices had their credentials stolen.

 

Why is this so dangerous

 

This isn’t just about stolen passwords, it’s about access to your entire digital life.

 

When your login credentials are exposed:

 

• Hackers can break into your accounts.
• Sensitive business or personal data can be stolen.
• Cybercriminals can pretend to be you.
• Password reuse across platforms puts more accounts at risk.
• Companies face reputational damage, compliance issues, and legal consequences.

 

“This is not just a leak, it’s a blueprint for mass exploitation,” Cybernews researchers warned. And they’re right. These records are likely to trigger a wave of phishing attacks, account takeovers, and identity thefts.

 

 

What are infostealers?

 

Infostealers are types of malware that silently run in the background of infected systems. 

 

They:

 

• Collect login URLs, usernames, and passwords.
• Send data back to the attacker.
• Often go undetected by regular users.

 

Cybercriminals sell this stolen data in dark web marketplaces. Even worse, researchers like Aras Nazarovas say infostealer groups are shifting from Telegram channels to large, centralized databases, making the stolen data easier to access and reuse.

 

What should you do now?

 

Here’s how to stay safe:

 

1. Stop using the same password on multiple accounts

 

If one of your accounts is breached and you reuse the password elsewhere, all your other accounts become easy targets.

 

2. Switch to passkeys where available

 

Apple, Google, and Facebook now support passkey technology, which is more secure than passwords. Passkeys use your device’s built-in security features to confirm your identity.

 

3. Use a password manager

 

A password manager helps you create strong, unique passwords for every account. It also alerts you if your passwords are found in a breach.

 

4. Turn on two-factor authentication (2FA)

 

Add an extra layer of protection by requiring a code or app to log in, even if someone steals your password.

 

5. Monitor your accounts for unusual activity

 

Check for strange login locations, password reset attempts, or messages you didn’t send.

 

6. Use dark web monitoring tools

 

These tools let you know if your login information has been exposed, so you can take quick action.

 

A wake-up call for organizations

 

This leak is not just a threat to individuals. Businesses are at serious risk, especially if:

 

• Employees reuse passwords across work systems.
• Devices are infected with infostealer malware.
• There is no formal GRC (Governance, Risk, and Compliance) strategy in place.

 

According to cyber security leaders, companies must now rethink their security posture from the ground up.

 

“Even the strongest passwords mean nothing once a database is compromised,” said Evan Dornbush, CEO of Desired Effect and a former NSA cyber security expert. “Reused credentials across platforms give attackers the keys to your kingdom.”

 

How CyberArrow GRC helps strengthen your security posture

 

To protect your company from large-scale leaks like this one, you need more than just strong passwords. You need a clear, structured, and automated way to manage risk, compliance, and governance across your organization.

 

CyberArrow GRC is a full-featured Enterprise Governance, Risk, and Compliance platform that helps organizations of all sizes:

 

• Monitor risk exposure across the business.
• Enforce consistent security policies and controls.
• Track compliance with global standards (like ISO 27001, NIST, GDPR, and more).
• Automate evidence collection for audits and certifications.
• Ensure real-time visibility into your risk and control landscape.

 

By integrating GRC into your everyday operations, CyberArrow helps you identify vulnerabilities, respond to threats faster, and stay compliant with data protection standards without relying on spreadsheets or outdated manual methods.

 

It also allows your team to cross-map controls across multiple frameworks, meaning you don’t have to duplicate your security efforts.

 

Read how Emirates enhanced Information Security by automating ISO 27001 with CyberArrow GRC.

 

See what Emirates has to say about CyberArrow GRC:

 

Final thoughts

 

The news of 16 billion passwords leaked is one of the strongest reminders yet: no one is immune. Whether you’re a casual internet user or a global organization, you must take action now to protect your data.

 

But you can’t do it with weak systems and outdated processes. Use tools that give you visibility, control, and confidence.

 

CyberArrow GRC helps you build a secure foundation that supports long-term protection, compliance, and growth even as new threats emerge.