June 22, 2025: This story, originally published on June 18, has been updated to include details of how to switch from passwords to the much more secure passkey technology if you are an Apple, Facebook or Google user. There is now also additional input from cybersecurity professionals regarding the 16 billion credentials mother of all leaks, including clarification regarding the legitimacy of the data leaked and the services impacted.
If you thought it was scary on May 23, it was confirmed that a total of 184 million login credentials had been compromised. Researchers have just confirmed what may be the largest breach of all time, with an almost unbelievable 16 billion login credentials, including passwords, exposed. As part of an ongoing investigation that began earlier this year, researchers have postulated that the massive password leak is the work of multiple infostealers. Here’s what you need to know and do.
The biggest password leak yet?
Password compromise is no joke; it leads to account compromise, and that leads to, well, compromise of just about everything you hold dear in this tech-centric world we live in. That’s why Google is urging billions of users to replace their passwords with much more secure passcodes. That’s why the FBI is warning people not to click on links in SMS messages. That’s why stolen passwords are for sale, by the millions, on the dark web to anyone with the minimum amount of money to buy them. And that’s why this latest revelation is, frankly, so concerning to everyone.
According to Vilius Petkauskas of Cybernews, who says researchers have been investigating the leak since the beginning of the year, “30 exposed data sets, containing anywhere from tens of millions to more than 3.5 billion records each,” have been discovered. In total, Petkauskas confirmed, the number of compromised records reached 16 billion. What is believed to be the largest leak of its kind in history.
“Intelligence agencies and threat actors use this data and accumulate these lists on the dark web,” said Lawrence Pingree, vice president of Dispersive, “sometimes repackaged multiple times, sometimes sold individually.” As Pingree told me, it’s hard to say without examining the entire dataset, deduplicating the data, and comparing it to datasets from independent breaches whether this is a repackaged leak or not. However, Cybernews’ researchers are certain it isn’t. Regardless, as Pingree put it, “16 billion records is a big number,” and these credential data “can be misused and are misused—that’s what makes them valuable.”
The 16 billion-data leak, housed in several supermassive datasets, includes billions of login credentials for social media, VPNs, developer portals, and user accounts from seemingly every major vendor. This has been disputed by some cybersecurity professionals, but whatever the truth, it remains a major cause for concern.
Conclusion
Replace your passwords with passkeys now While you may not want to replace all your account passwords as a result of this latest leak revelation, I would definitely recommend doing so if you’ve already reused some of those credentials across more than one service. Start using a password manager and switch to passkeys whenever possible.