A massive trove of login credentials, reportedly the largest ever, has surfaced online, raising alarms across the tech and cybersecurity world. Researchers say nearly 16 billion usernames and passwords, scraped from around 30 datasets, are now circulating freely. Some reports suggest the real figure may be closer to 19 billion.
Unlike previous breaches that regurgitate outdated details, much of the data appears freshly lifted by infostealer malware. These programmes harvest credentials directly from infected devices, capturing not just usernames and passwords but the entire login sequence—URLs, email addresses, even authentication cookies. In effect, it’s a ready-made kit for anyone looking to hijack accounts.
Jeremiah Fowler, a cybersecurity researcher who analysed one of the data bundles, reviewed a sample of 10,000 records and found active logins for services like Facebook, Google, Instagram, PayPal, and Netflix. Some even included government domain addresses. He contacted a handful of users and confirmed the credentials were real—and still in use.
The implications are wide-ranging. Credential stuffing attacks, where hackers use bots to test stolen logins across multiple services, become much more effective when people reuse passwords. And according to security experts, that remains one of the most common mistakes.
“These datasets are like a cheat sheet for cybercriminals,” said researchers from Cybernews, who helped uncover the leak. “It’s not just that there’s volume. It’s that the information is fresh and usable.”
To put things in context, last year’s so-called RockYou2024 leak exposed 9.9 billion entries. This new batch doubles that number. Yet cybersecurity analysts urge caution when interpreting the figures. While the volume is massive, some of the leaked passwords may still be duplicates or inactive. The core risk is not the size, but the simplicity of exploiting reused credentials at scale.
There’s also concern about the sophistication of phishing campaigns that could emerge from this data. With full login sequences, attackers can craft emails and spoofed login pages that mimic legitimate platforms down to the last detail.
What can you do?
First, reset any reused passwords, especially if they’re linked to more than one account. If your password manager flags a breach, don’t ignore it. Change it immediately.
Second, enable multi-factor authentication (MFA) wherever you can. This acts as a second lock on your account, requiring an extra code or approval even if someone has your password.
Third, use a password manager to generate and store unique, complex passwords—ideally 16 characters or more. That way, you never need to reuse the same password across platforms.
Fourth, be alert to phishing attempts. Emails that look real, login pages that feel familiar—many of these are designed to lure you into giving away access. If anything feels off, don’t click. Type the website address manually into your browser.
Lastly, keep an eye on your online accounts and bank statements. Any unauthorised transaction, no matter how small, is worth reporting.
This breach serves as a blunt reminder. It’s easy to forget that the internet is porous. Our digital habits, however minor, leave behind traces. A saved password, a quick login on a public device, a weak variation of your usual passphrase—it all adds up.
Tech giants like Apple, Google, and Facebook are no strangers to credential leaks. But in most cases, they aren’t the ones breached. Instead, their users are hit indirectly through malware or phishing, and credentials are stolen from individual devices.
The real takeaway isn’t panic. It’s hygiene. Treat your digital keys the same way you’d treat your home keys. If they’re lost, change the locks. If they’re copied, don’t wait for someone to use them. The tools to protect yourself are already available. What matters is whether you use them.
This leak is live now. The response, too, should be immediate. Because while 16 billion may sound like a faceless figure, one of those credentials could be yours.
Sourced from Cybernews investigations, TechRepublic reporting, and independent analysis by cybersecurity researcher Jeremiah Fowler.
Support independent community journalism. Support The Indian Sun.
Follow The Indian Sun on X | Instagram | Facebook
🔐Largest-ever #dataleak exposes ~16B fresh login credentials via #malware. 🚨Active Facebook, PayPal & gov logins confirmed. 🔑Experts urge password resets, MFA & phishing vigilance. 💻"Treat digital keys like house keys." #TheIndianSun @CyberNews
🔗 https://t.co/dlleyTLXRm pic.twitter.com/gzLFamT4he
— The Indian Sun (@The_Indian_Sun) June 20, 2025
Donate To The Indian Sun
Dear Reader,The Indian Sun is an independent organisation committed to community journalism. We have, through the years, been able to reach a wide audience especially with the growth of social media, where we also have a strong presence. With platforms such as YouTube videos, we have been able to engage in different forms of storytelling. However, the past few years, like many media organisations around the world, it has not been an easy path. We have a greater challenge. We believe community journalism is very important for a multicultural country like Australia. We’re not able to do everything, but we aim for some of the most interesting stories and journalism of quality. We call upon readers like you to support us and make any contribution. Do make a DONATION NOW so we can continue with the volume and quality journalism that we are able to practice.
Thank you for your support.
Best wishes,
Team The Indian Sun
