CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
  • Home
  • News
  • Insights
  • Resources
Opened red padlock showing login credentials leaked
Cyber SecurityNews
·5 min read

Mysterious Hoard of Leaked Login Credentials Contains 16 Billion Passwords

Scott Ikeda·June 23, 2025

A trove of stolen login credentials belonging to an unknown party was briefly exposed to the internet, giving security researchers access to a total of 16 billion passwords. That number falls a few billion short of the “Mother of All Breaches (MOAB)” collection that appeared a little over a year ago for the all-time record, but researchers say that much of the information in this new collection has not been seen in prior leaks.

The new collection is neatly organized into different datasets by localities and breached services among other entries. Other evidence points to it being harvested by infostealer malware. The collection was discovered by SecurityDiscovery.com’s Bob Diachenko, who says that the datasets do not point to any new major breaches of individual organizations but that the scope of new entries indicates that this malware is probably more prevalent than previously thought.

Massive login credentials collection contains multiple organized datasets, uses infostealer malware formatting

The set of login credentials was not a public leak. It was accidentally exposed to the internet via improperly secured Elasticsearch and object storage instances for a short period, but long enough for Diachenko and other researchers to hit upon it. It is unknown who is controlling these caches, but it is almost certainly some sort of organized cyber crime group given the size and categorization. The data also tends to be formatted in a style that is common to the output of infostealer malware. These logs collect the URL of the breached credentials followed by the login details and password, in some cases also appending tokens, metadata and cookies.

Not all of the login credentials are new. Some of the trove is a repackaging of prior leaks, as well as credential stuffing sets that were already available. It is also divided into many different individual datasets that range in size from about 3.5 billion entries at the largest to 16 million at the smallest. Only three of the individual sets range into the billions of entries, with most landing somewhere in the millions.

The sets of login credentials also tend to be grouped by various demographics and sources. The smallest set of 16 million credentials makes plain that it was taken by a particular type of infostealer malware. Another was a set of Telegram credentials. One of the larger entries, at almost half a billion records, was composed entirely of breached individuals from the Russian Federation. Another appeared to be a collection specific to Portuguese users.

Security researchers stress that there does not appear to be any new breaches of consequence feeding the data sets, however. Though some unknown quantity of the login credentials are new to the public internet, criminals were likely sitting on them for some time. Some of the stolen information may have been private for years, and long since addressed by users or services when login attempts were made by would-be hackers.

The breach also appears to be fed by multiple types of infostealers, but in general these malicious pieces of software target credentials stored in web browsers. Users that have MFA enabled on accounts have a strong layer of protection against being compromised even if infected by an infostealer.

Patterns in the stolen login credentials trade may be shifting

The researchers note that 16 billion passwords equate to roughly two leaked accounts per person across the population of the Earth, though people tend toward an average of closer to 100 accounts each now (and that’s before things like organizational accounts and smart devices are factored in to the total). The average person is thus probably not facing substantially increased risk from this collection, but these incidents always serve as a good reminder to review passwords for duplicates and hygiene and to implement MFA wherever it is possible and practical.

But Brian Soby, co-founder at CTO at AppOmni, notes that it is still a very substantial general threat: “A 16-billion-record data leak is hardly a surprise. For too long, we’ve relied on outdated security measures, and this is the predictable result. The sheer scale of this breach, with data from virtually every major online platform, from Apple and Google to government services, isn’t the whole story. The real threat is the weaponization of this data against the SaaS applications that form the backbone of our economy. This isn’t just a collection of old, previously leaked passwords; it appears to be a new, massive, and highly organized library of credentials. This gives cybercriminals a roadmap for widespread account takeovers that could bypass traditional security measures with ease. Every login to a SaaS platform and every cloud service accessed is now a potential entry point for attackers. Complicating breaches such as these is the widespread susceptibility to credential attacks within organizations’ applications. We commonly see organizations implement large identity management projects to federate authentication or Secure Access Service Edge (SASE) projects to secure access to their applications. However, these projects almost always fall short of preventing credentials attacks because they don’t go far enough to configure the applications to disable credential use and mandate the use of the installed SASE. Large credential dumps such as these are likely to highlight just how many organizations indeed remain vulnerable to credential attacks due to these insufficient protections.”

The researchers also note that the centralization and organization of the stolen login credentials in a collection of this size possibly points to criminals moving away from sharing their resources directly via messaging and posting services like Telegram and Pastebin, instead granting each other to cloud storage capable of handling these groupings of tens of billions of collated records. Approov CEO Ted Miracco sees this as being directly related to the rise of AI and its adoption by threat actors: “This isn’t just about stolen credentials, it’s really about unlocking automated exploitation at scale. Agentic AI systems can leverage exposed APIs and mobile app vulnerabilities to become the perfect attack surfaces. With billions of credentials circulating, it’s not hard for autonomous agents to systematically test, breach, and escalate. Weak or missing mobile and API protections are an open invitation for AI-driven intrusions. This is a convergence of data theft and autonomous weaponization.”

Inevitable centralization of stolen login credentials has also been an ongoing trend for some years now. In addition to the MOAB that dropped in early 2024, the massive “RockYou” collection that was found that summer contained some 10 billion unique passwords. And this has also become an international phenomenon, as both this breach and a recent 631 GB leak from China demonstrates. That breach, which was first reported in early June, contained about four billion user records including 805 million WeChat accounts and 630 million records from a financial services provider that contained payment card numbers.

Desired Effect CEO Evan Dornbush, a former NSA cybersecurity expert, expands on how the average person should react to these events: “It doesn’t matter how long or complex your password is.  When an attacker compromises the database that stores it, they have it. This is why experts wisely advise everyone to use multi factor authentication and regularly update each and every password. This is also why it’s so critical not to use the same password at multiple sites.  If an attacker steals a password from one database and the individual has reused it elsewhere, then the attacker can gain access to those accounts as well. This is basic digital life hygiene that should be taught everywhere: town meetings, PSAs, schools – everywhere. Today’s the day to embrace this practice – starting with changing all potentially affected passwords., activating multifactor authentication, and ensuring zero password reuse.”

 

Tags
Login Credentials
Scott Ikeda
Senior Correspondent at CPO Magazine
Scott Ikeda is a technology futurist and writer for more than 15 years. He travels extensively throughout Asia and writes about the impact of technology on the communities he visits. Over the last 5 years, Scott has grown increasingly focused on the future landscape of big data, surveillance, cybersecurity and the right to privacy.
Related
Passwords on screen showing login credentials
Cyber SecurityInsights

Credential Landfills: Why Old Password Dumps Keep Masquerading as New Breaches

October 17, 2025
Data center racks with enterprise hardware showing security breach of login credentials
Cyber SecurityNews

Hackers Compromised Two Large Data Centers in Asia and Leaked Major Tech Giants’ Login Credentials

March 8, 2023
- Advertisement -
- Advertisement -

Latest

Cityscape and bubble chat showing phishing campaign for messaging apps

Russian Phishing Campaign Targets Messaging App Users to Steal Recovery Keys and Take Over Accounts

Light trails on the Westminster bridge showing agentic AI and cyber defense

“Cyber Shield,” Britain’s Agentic AI Cyber Defense Project, Prepares for the World of Machine-Speed Attacks

Open digital lock showing data breach

Data Breach Hits AssuranceAmerica Exposing Personal Information of Nearly 7 Million People

Red alert with skull symbol showing data breach

Data Breach at Aflac Japan Impacts 4.38 Million Customers and Sales Agents

- Advertisement -
- Advertisement -
- Advertisement -
- Advertisement -

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

CPO Magazine

News, insights and resources for data protection, privacy and cyber security professionals.

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

Categories

Data Privacy
Data Protection
Cyber Security
Tech
Digital
Insights
News
Resources
Press Releases

© 2025 Rezonen Pte. Ltd.
CPO Magazine - News, Insights and Resources for Data Privacy, Protection and Cybersecurity Leaders
  • Home
  • News
  • Insights
  • Resources
    Start typing to see results or hit ESC to close
    Data Breach U.S. Cyber Attack Regulations Ransomware Attack
    See all results