Researchers have just revealed what could be one of the largest data breaches ever recorded: 16 billion usernames and passwords are circulating freely on the internet. The scale and freshness of the data raises fears of a wave of digital attacks to come.
Data freshly sucked by malware
The alert was raised by Cybernews experts, who uncovered some thirty data sets totaling more than 3,5 billion unique records. These files contain a wealth of sensitive information: email addresses, usernames, passwords, cookies, access tokens, and even personal metadata. According to the researchers, this data was not exfiltrated randomly, but was collected primarily by "infostealers," malware specifically designed to siphon off users' private information. This malware is responsible for many recent leaks, such as the one targeting Snowflake customers. It is now responsible for millions of device infections worldwide, according to Kaspersky data.
A massive exploitation base in the hands of pirates
The information collected wasn't just stolen via viruses; it was also enriched by credential stuffing attacks: hackers exploit the credentials from an initial leak to attempt to log into other platforms. If two-factor authentication isn't enabled, access is often immediate. The services affected are numerous: social networks (Facebook, Telegram), cloud giants (Apple, Google), professional platforms, government portals, financial services, and even VPNs. And unlike old, rehashed breaches, this is recent data, still usable.
A global but ephemeral alert?
Even though the data was only temporarily accessible, it is now in the possession of cybercriminals. With such a volume of credentials, the possibilities for attacks are vast: ransomware extortion, account takeover, phishing campaigns, or targeted espionage. For the researchers behind this discovery, this is not simply another data theft, but an active infrastructure, ready to be used as leverage for massive operations. This is a worrying precedent, in a context where leaks are multiplying: in just a few months, other leaks had already exposed billions of credentials, notably via RockYou2024 or other databases distributed online.
Simple actions to limit risks
Faced with this growing threat, experts are reminding us of the importance of a few best practices: adopting unique and complex passwords, avoiding password reuse, and, above all, enabling two-factor authentication on all sensitive accounts. Because in the age of mass hacking, digital caution is more essential than ever.
