A Cybernews investigation reveals one of the largest credential leaks ever documented, fueled by infostealer malware with potential access to platforms like Google, Apple, Facebook, and more.
An unprecedented leak has shaken the global digital ecosystem: over 16 billion credentials have been exposed in a series of databases recently discovered by the Cybernews research team. This revelation, confirmed by experts such as Bob Diachenko and Aras Nazarovas, poses one of the greatest cybersecurity threats in recent years, providing cybercriminals with a massive arsenal of personal and corporate data.
The compromised information reportedly comes from multiple infostealer malware campaigns designed to steal access credentials, session tokens, cookies, and other sensitive data stored in browsers and systems. Far from being a simple compilation of old leaks, this exposure includes recent and highly structured data that could facilitate account takeovers, targeted phishing attacks, identity theft, and unauthorized access to corporate and governmental networks.
30 Databases and Billions of Records
The investigation has identified 30 different databases, some containing from tens of millions to over 3.5 billion individual records. While duplicates are presumed, the total volume highlights the magnitude of the problem. Indeed, some files were generically labeled as "logins" or "credentials," while others directly referenced specific services like Telegram or geographical origins such as the Russian Federation.
On average, each database contained about 550 million records, with the largest one potentially linked to a Portuguese-speaking community. This organization of the data suggests that it is not random or disorganized but rather functional collections aimed at exploiting specific services.
Emerging Threats: Phishing, BEC, and Ransomware
Experts state that the combination of recent and old records, along with additional information like cookies or access tokens, makes this leak a dangerous resource for malicious actors. Its impact is particularly concerning for organizations lacking multifactor authentication (MFA) or maintaining weak credential hygiene practices.
Moreover, this data allows for scaling phishing campaigns, business email compromise (BEC) attacks, and initial access for ransomware campaigns.
"This is not just a leak; it’s a roadmap for mass exploitation," warns Cybernews. "The structure and freshness of the data allow for the exploitation of platforms like Apple, Facebook, Google, GitHub, Zoom, or even governmental services."
A Shift in Criminal Models
Researcher Aras Nazarovas points to a paradigm shift in the behavior of cybercriminals. The increasing presence of centralized datasets suggests a transition from traditional distribution channels—like Telegram groups—toward databases stored in misconfigured services like Elasticsearch or unprotected cloud storage.
These exposures, although brief in duration, were enough to be indexed by researchers, but the responsible parties were not identified. This fuels the hypothesis that some leaks could be linked to malicious actors rather than just legitimate researchers or data collectors.
What Can Users Do?
Although the primary responsibility lies with the companies and platforms storing the data, users can take basic steps to protect themselves:
- Change passwords immediately, especially for critical services like email, banking, or social media.
- Use password managers to generate strong, unique keys.
- Enable two-factor authentication (2FA) whenever possible.
- Monitor personal and business accounts for unusual access activity.
- Check tools like Have I Been Pwned or Cybernews’s own leak search tool to see if your data has been compromised.
Are Google, Facebook, or Apple Affected?
Despite alarming headlines in some media outlets, there is no evidence of a direct security breach at giants like Google, Facebook, or Apple. According to Bob Diachenko, no centralized intrusion has been detected on these platforms. However, the leaked credentials do include access to the login pages of these services, suggesting that many affected users had accounts on those platforms.
In other words, while these companies were not hacked directly, users who entered their passwords on devices infected with infostealers may be at risk.
A Symptom of a Greater Crisis
This leak adds to other large-scale incidents registered in recent years, such as the so-called "Mother of All Breaches" (MOAB) with 26 billion records or the RockYou2024 file with nearly 10 billion passwords. All these events reflect a troubling trend: the increasing ease with which personal data becomes exposed and the apparent social normalization of these mass leaks.
From Cybernews’ perspective, the conclusion is clear: "We are failing to hold accountable those who guard our data. Only when there are real financial or criminal consequences will companies take seriously the security of the information they manage."
Source: Cybernews and Noticias Seguridad