
Researchers at Cybernews have uncovered one of the most extensive credential leaks in history: over 16 billion entries containing usernames and passwords have surfaced in publicly accessible repositories. These massive datasets, according to their analysis, have largely been compiled using stealers—malicious software designed to extract sensitive information from compromised devices.
Since the beginning of 2025, experts have identified 30 discrete data troves, each containing anywhere from tens of millions to more than 3.5 billion records. The cumulative total surpasses 16 billion entries. Analysts note that fresh dumps are appearing every few weeks, signaling a sustained surge in stealer activity.
The average dataset comprised approximately 550 million entries. The smallest, named after a specific malware strain, held just over 16 million lines. The largest, believed to originate from the Lusophone digital sphere, included upwards of 3.5 billion credentials.
Some datasets bore generic labels—such as “logins” or “credentials”—which complicated attribution. Others hinted at their origin, referencing specific platforms or countries. One file, for example, contained 455 million records and appeared linked to Russian accounts. Another, containing 60 million entries, explicitly mentioned Telegram.
All shared a similar structure: URL, login, and password. Many also included tokens, cookies, and other metadata—hallmarks of data exfiltrated by stealers. This renders the breach especially perilous for organizations lacking multifactor authentication or robust password oversight.
These datasets were temporarily exposed via unsecured Elasticsearch instances and object storage servers, granting researchers momentary access—though without revealing the operators. It is likely that some of the information was gathered by cybercriminals, while other portions may have originated from researchers or data breach aggregators. Regardless of their origin, such collections offer threat actors a potent arsenal for executing large-scale cyberattacks.
Even with a success rate below 1%, dumps of this magnitude can compromise millions of users, enabling unauthorized access to financial platforms and fueling phishing or fraud campaigns.
Included among the leaked entries are credentials linked to Apple, Facebook*, Google, Telegram, GitHub, and various government systems. Certain files contain business-related data and encrypted artifacts, suggesting potential corporate sources.
In light of this latest discovery, the leaks resemble interconnected links in an ever-growing chain. These datasets comprise both outdated and freshly harvested data, readily exploitable for immediate cyber operations. This is no mere “recycling”—it is a living, breathing arsenal of exploitation-ready intelligence.
Researchers emphasize that once such information falls into malicious hands, there is little the average user can do to reverse the damage. However, basic cyber hygiene—such as regularly updating passwords, scanning for stealer malware, and enabling two-factor authentication—can dramatically reduce the risk of compromise.