June 21, 2025 — Just when we thought the internet couldn’t get any less secure, cybersecurity researchers have uncovered something that makes previous leaks look small by comparison. A jaw-dropping 16 billion login credentials — including usernames and passwords for some of the world’s most used services — have reportedly been exposed in what may be the largest data breach in history, according to a Forbes report.
And no, that’s not a typo.
How did this happen?
According to Cybernews reporter Vilius Petkauskas, who’s been tracking this since early 2025, the leak comes from a series of attacks involving infostealer malware. These malicious tools quietly siphon login data from infected devices, later compiling them into massive databases — many of which end up for sale on dark web forums.
Petkauskas and his team discovered 30 separate datasets, each containing anywhere from tens of millions to over 3.5 billion records. Most of this data hasn’t surfaced before, making the discovery more than a rehash of old breaches—it reveals fresh, active, and highly exploitable credentials.
Why this matters to everyone
The leaked data includes login credentials for major platforms — from Apple, Google, Facebook, and Telegram to GitHub and even some government systems. That means this breach doesn’t just impact a few users — it potentially touches millions, if not billions.
“This isn’t just a leak — it’s a roadmap for cybercriminals,” the research team said. And they’re not exaggerating. With this level of access, threat actors can launch phishing attacks, account takeovers, and a whole chain reaction of cybercrime.
Security expert Lawrence Pingree of Dispersive explained that both criminal groups and intelligence agencies actively use—and misuse—these credential dumps. “The value lies in how they’re misused,” he said. “And at 16 billion records, the threat becomes very real.”
Experts weigh in: What you should do now
This isn’t just a moment for tech pros to sound the alarm — it’s a call to action for every internet user.
“It doesn’t matter how complex your password is — if the database storing it gets hacked, it’s game over,” said Evan Dornbush, CEO of Desired Effect and a former NSA cybersecurity expert.
Security professionals are strongly recommending that users:
- Stop reusing passwords across sites
- Use multi-factor authentication (MFA)
- Invest in a password manager
- Start adopting passkeys, which don’t rely on traditional passwords
Dornbush warned that reusing passwords is a major risk—once hackers get one, they’ll test it across every major service you use.
What about Passkeys? Are they the future?
More and more experts agree: passkeys — which use device-based or biometric authentication — are the future of secure login.
Rew Islam, co-chair of the FIDO Alliance and a security lead at Dashlane, said this latest leak only reinforces the need to leave passwords behind. “Passkeys aren’t optional anymore — they’re essential,” he said. Dashlane was one of the first to support them, and now companies like Facebook, Apple, and Google are joining in.
“Users are ready for this,” Islam added. “Most people already use things like Face ID or fingerprint login. Passkeys just build on what they know.”
Is it really your responsibility?
Not everyone agrees that individuals should shoulder the blame. Paul Walsh, CEO of MetaCert, criticized the idea that users should be security experts.
“Telling users to ‘be more careful’ isn’t working — and it hasn’t for over a decade,” Walsh said in a post on X (formerly Twitter). He argues that security companies must do better to protect their users, rather than relying on human vigilance alone.
No matter where you stand in that debate, one thing stands out: we need change — and we need it fast.
Final thoughts: What now?
If you’ve ever reused a password, now is the time to change it. If you haven’t already, it’s also time to:
- Use a trusted password manager
- Set up MFA on all critical accounts
- Enable passkeys where available
- Watch for breach alerts through dark web monitoring tools
As Cybernews researchers said, “This is weaponizable intelligence at scale.” It’s no longer just about protecting your email — it’s about safeguarding your digital identity.
The internet is changing, and with 16 billion credentials now exposed, cybersecurity is no longer optional — it’s a daily necessity.