16 billion logins leaked in one of the largest undiscovered breaches

Researchers have uncovered 16 billion exposed login records across dozens of datasets, most of which had never been publicly reported.

What happened

Cybernews researchers have discovered what may be one of the largest credential breaches in history, totaling 16 billion exposed login records sourced from a mix of infostealer malware, credential stuffing lists, and previously unreported leaks. The datasets included everything from social media and developer platforms to corporate and government systems. Only one of the 30 datasets had been publicly mentioned before, making the scope and scale of this breach especially alarming.

Going deeper

The datasets were uncovered through routine internet monitoring and were temporarily accessible via unsecured Elasticsearch and object storage servers. Most followed a structured format: URL, username, and password, typical of logs gathered by infostealers. Some files even included tokens, cookies, and metadata that could be used for deeper account intrusion or bypassing login security.

The largest dataset included more than 3.5 billion records and appeared linked to Portuguese-speaking users. Others referenced services like Telegram, GitHub, and Apple. The diversity of data suggests cybercriminals are aggregating leaks from multiple sources, continuously compiling fresh logs into massive exploitable databases.

Researchers could not determine how much overlap existed between the datasets or how many individuals were uniquely affected. However, the frequency of these discoveries suggests that massive credential leaks are becoming a regular occurrence, one that can fuel account takeovers, phishing, and ransomware attacks.

What was said

“This is not just a leak—it’s a blueprint for mass exploitation,” researchers said, warning that the inclusion of both new and historical infostealer logs makes the data especially dangerous for users without multi-factor authentication or good password hygiene.

The team stated that while the datasets were briefly exposed and have since been taken down, their existence reveals how easy it is for threat actors to access and weaponize sensitive login data at scale.

The big picture

The discovery points to an increasing practice of compiling breach data from multiple sources into structured datasets that can be used for large-scale attacks. Many of the credentials are both recent and organized in a way that makes them easy to exploit, especially for individuals or organizations that reuse passwords or lack multi-factor authentication. Even a small portion of valid credentials can enable attackers to carry out phishing, identity theft, or account compromise with little effort. The scale of the exposure, combined with unclear data ownership, limits the ability of affected users to respond, reinforcing the need for strong, preventive security habits.

FAQs

How do infostealers collect login data from users?

Infostealers are a type of malware that secretly collects stored passwords, browser cookies, and autofill data from infected devices, usually delivered via phishing emails, cracked software, or malicious ads.

Why are unsecured Elasticsearch and object storage servers commonly involved in leaks?

These cloud storage tools are often misconfigured, leaving sensitive files accessible to anyone who finds the right URL. Researchers and attackers alike use tools to scan for these vulnerabilities.

What is credential stuffing, and how does it relate to these datasets?

Credential stuffing involves using leaked login credentials to try and access other services where users may have reused passwords. Datasets like these make such attacks easier and more scalable.

What’s the difference between old leak data and infostealer logs?

Old leak data typically comes from previously hacked databases, while infostealer logs are captured in real time from active infections and often include fresher, more complete user session data.

How can organizations protect against the impact of mass credential leaks?

They should implement multi-factor authentication, monitor for abnormal login behavior, enforce regular password changes, and scan for employee credentials in known leak repositories.