Insights

Home / 16 Billion Passwords Exposed: Don’t Ignore This One
16 billion breach
June 20, 2025

16 Billion Passwords Exposed: Don’t Ignore This One

Written by: Aaron Pries, Technology Consultant

EDIT: This story is evolving, and clarifications from security researchers Bob Diachenko and Aras Nazarovas are forthcoming. Further investigation is needed to confirm how many of these credentials are new leaks, and if they are plaintext or encrypted. However it is recommended to err on the side of caution and follow best practice security guidelines when dealing with data breaches and emerging threats.

If your radar isn’t blaring yet, this one should crank the volume.

Researchers at Cybernews just unearthed what may be the second-largest credential breach in history — a staggering 16 billion username and password combinations sitting wide open across 30 exposed databases. Let that sink in. Not just one large retailer or platform – this is a collection of some of the largest names in tech.

When these types leaks happen these days, most dismiss it as a bunch of old archived credentials with some active mixed in. This isn’t that.

These aren’t just old leaks being reshuffled. This is fresh, structured, and exploitable data. Expect that these credential combos will be spammed to any website cyber criminals can think of.

The databases weren’t sitting in a dark web corner. They were left exposed online, potentially giving low-skill bad actors access to enterprise-grade attack ammunition. They include not only usernames and passwords, but session cookies. This means even if you change your password, someone might still be riding shotgun in your account.

What Kind of Data IS Out There?

  • Credentials from infostealer malware (think users who clicked a shady link or downloaded a “PDF invoice”)
  • Login pairs from credential stuffing campaigns (Netflix password = Facebook password? You bet they tried it)
  • Session cookies that allow re-entry into accounts post-password-change
  • Likely overlap with prior breaches, but not just old junk — many records are new to researchers

Why This Is a Big Deal for Your Company (and You Personally)

This is more than another massive data breach — it's a collection of all the components needed for mass digital exploitation. Even a rather conservative estimate, such as a 0.5% success rate on 16 billion records gives attackers access to 80 million valid accounts. That’s enough to compromise banking portals, take over email inboxes, launch hyper-targeted phishing at scale (which is already a major threat thanks to AI).

What You Should Be Doing Right Now

If you're in charge of IT or considering how to protect yourself personally, consider this your checklist:

  • Force password resets for high-value systems, especially for accounts not enrolled in MFA.
  • Enroll in MFA for any critical account not yet enrolled, and save backup codes.
  • Review recent login activity for anomalies.
  • Audit your endpoint protection and antivirus for signs of infostealer malware.
  • Check internal credentials against breach monitoring tools like HaveIBeenPwned or paid breach intelligence feeds.
  • Check to see which devices are logged in with your accounts, remove any unrecognized locations or devices that are active.

Then, go deeper:

  • Deploy phishing-resistant MFA (like passkeys or FIDO2 keys rather than SMS or app-based codes)
  • Revoke all existing session cookies and refresh tokens in critical apps
  • Run an employee awareness refresher: "Don’t click dumb stuff. Period."

Bonus:
If you’re using Copilot or M365 Security tools — now’s the time to let AI do the boring stuff. Use DLP policies, Defender for Endpoint indicators, and Purview insights to look for exposed credentials or strange login behavior. Even consider deploying an Human Risk Intelligence Platform, if you don’t already have any behavior and activity analytics.

Final Thoughts – Who’s Behind This?

The scariest part of this breach? We still don’t even know who owns these databases yet. They’re just kind of… sitting there unannounced. The numbers are likely not final, and this story is evolving, so expect more information as investigations start kicking off. Regardless, attackers and cybercriminals don’t care who owns the database — they’ve got the keys they need. Whether they open the vault is up to your security hygiene. This has security implications for the corporate world just as much as your personal life. Protect your work account, protect your Netflix account. The difference between being breached and being prepared is proactivity.

If you don’t yet have a trusted technology partner, or are curious about Human Risk Intelligence – reach out to us today.