Cybersecurity investigators have uncovered a trove of up to 16 billion logins harvested via infostealer malware and credential stuffing schemes, making it one of the largest compilations of stolen credentials in history, Cybernews reports.
Researchers have detected 30 separate database dumps, each containing credentials from tens of millions to over 3.5 billion records. While overlapping entries make the true count unclear, the total footprint is estimated at 16 billion.
Contrary to headlines implying a brand-new hack, however, this appears to be an aggregation of existing exposures, freshly packaged but stemming from previously compromised data sets via infostealer malware and credential stuffing.
For those who aren’t famliar, infostealers are malicious programs that stealthily extract data, such as logins, cookies, session tokens, and crypto-wallet details, from infected devices. These malwares, often spread via phishing or malicious downloads, then send this stolen data to criminal-controlled servers.
According to the source, prominent strains like Lumma, StealC, and RedLine have been found in past campaigns. KELA researchers reported nearly 4 billion stolen credentials in 2024 alone, from around 4.3 million infected devices.
The latest leak includes credentials linked to platforms ranging from Apple, Google, Facebook, Telegram, GitHub, VPN services, even government sites. In one high-volume database of 184 million records discovered in May, researcher Jeremiah Fowler verified that usernames and plaintext passwords were intact, including access to email, banking, healthcare, and government portals.
This data offers a “blueprint for mass exploitation.” With account and session data, criminals can launch credential stuffing, identity theft, phishing scams, account takeovers, and even attempt corporate espionage. Because of duplicate entries across multiple dumps, the actual number of affected users remains unclear.
Security professionals are now urging everyone to take the following immediate measures:
As infostealers are becoming more accessible and effective, sources predict a continued rise, potentially 30–50% more credential-based attacks in the next year.
Want to see more of our stories on Google?
P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!
So much for Apple's heavily advertised privacy ad campaigns.
No need for the surveillance camera 'birds' looking over the shoulder when someone has already used what's inside your account.
This is ridiculous, I already changed all my passwords weeks ago, why do I have to do this all over again. There has gotta be a better way. If malicious users get into my iCloud, I am absolutely screwed as I have everything in there.