The Cybernews research team recently uncovered what may be the largest unreported credential leak in history, involving a staggering 16 billion login records exposed across 30 separate datasets. These datasets were most likely generated by various infostealer malware—malicious software designed to harvest sensitive information such as usernames, passwords, and authentication tokens from infected devices. Whether or not they are recycled or regenerated data is questionable.
Key Findings
The 30 datasets ranged in size from tens of millions to over 3.5 billion records each. On average, a single dataset contained about 550 million exposed credentials. The largest dataset, potentially linked to Portuguese-speaking users, held over 3.5 billion records.
Most datasets followed a uniform structure: URL, username/email, and password. Some also included tokens, cookies, and metadata, which can be used to bypass multi-factor authentication and launch advanced phishing attacks. The leaked credentials originated from a wide range of online services, including social media platforms (Facebook, Google, Telegram), corporate and developer portals (Apple, GitHub, VPNs), and government services. Some datasets were named generically, while others referenced specific platforms or regions, such as a dataset with 455 million records linked to the Russian Federation and another with 60 million records labeled “Telegram”.
The datasets were briefly exposed in unsecured cloud storage systems, such as Elasticsearch or object storage instances. Ownership of these datasets remains unknown, but researchers believe some may have been curated by cybercriminals seeking to scale attacks. Unlike many previous breaches that recycled old data, these collections included both recent and older infostealer logs, making them especially dangerous for organizations and individuals lacking strong authentication or credential hygiene practices.
