A staggering 16 billion login credentials — including usernames, emails, and passwords for Apple, Google, Facebook and more — have been leaked online, shocking cybersecurity researchers. The data even contained the credentials of government officials, posing security concerns.
The compromised data was scraped from over 30 databases since the start of 2025 and likely stems from malicious “infostealer” software designed to extract sensitive information from victims’ devices, a report published by Cybernews reveals. The leaked credentials span nearly every type of online service imaginable from social media and email accounts to VPNs and developer platforms.
“No stone was left unturned,” the report warns.
Don’t miss
How hackers can use the data
This breach isn’t just about stolen email addresses, it’s about what cybercriminals can do with your full login credentials — especially if you tend to use the same passwords across your different accounts.
Once hackers get your email and password combo, they can launch a range of attacks, including:
-
Credential stuffing: Hackers try your login across banking, streaming, shopping, or investment sites. If you reuse passwords, they could gain access to your most sensitive accounts.
-
Phishing and social engineering: With access to personal details or email accounts, scammers can send convincing fake messages or impersonate you to friends, coworkers, or customer service agents.
-
Identity theft: Stolen credentials can be used to open credit cards, apply for loans, or take over government benefit accounts in your name.
-
Access to 2FA and backups: If hackers get into your email, they may intercept security codes, password reset links, or even gain access to your cloud storage and documents.
Google, Facebook, Netflix, Apple, LinkedIn, Dropbox and PayPal are among the slew of accounts with data compromised meaning nearly every kind of online identity is at risk.
Even worse: many of the stolen credentials are in plain text, making them incredibly easy to exploit with automated tools.
While the current combination of credential data is new, some of the data could also be from previous data breaches, including a database containing 184 million records discovered back in May of this year.
Read more: Want an extra $1,300,000 when you retire? Dave Ramsey says this 7-step plan ‘works every single time’ to kill debt, get rich in America — and that ‘anyone’ can do it
How to protect yourself from cybercrimes
With billions of passwords out in the wild, here’s how to stay one step ahead of hackers:
-
Change your passwords — especially for email, banking and shopping accounts. If you reuse passwords, it’s time to break the habit.
-
Turn on 2FA — that’s two-factor authentication. It adds a second layer of defense, and it’s free on most platforms.
-
Use a password manager — stop relying on your memory (or sticky notes). Let an encrypted vault generate strong passwords for you. This makes it easier to change your password frequently, too.
-
Watch your inbox — phishing scams tend to spike after big breaches. Don’t click suspicious links, even if they look legit.
Most importantly, monitor any financial accounts you have closely. Think PayPal, bank accounts and credit cards etc. Check your statements and even pull a credit report from Equifax, Experian or Transunion.
“This is the mother of all data breaches,” Ed Peters, CEO of Data Discovery Sciences, said to NBC 5 DFW. “We tend to think of a lone hacker going and stealing your data. That’s not the case.”
With cybercriminals sitting on a dragon’s hoard of credentials, experts say the risks of account takeovers, phishing and fraud are higher than ever.
Don’t wait for a “suspicious activity” email — lock it down now.
What to read next
Like what you read? Join 200,000+ readers and get the best of Moneywise straight to your inbox every week. Subscribe for free.
This article provides information only and should not be construed as advice. It is provided without warranty of any kind.
Leave a Reply