According to a disturbing new cybersecurity report, over 16 billion usernames and passwords have been leaked online--which makes for the largest credential leak in history.
These leaked credentials include login information from some of the biggest services including Google, Apple, Facebook, Telegram, GitHub, as well as government services.
Security researchers believe this information is not just old or reused, but predominantly new data that was gathered recently with modern malware called infostealers.
Infostealer malware operates by quietly infiltrating devices and collects data ranging from a user's browser-stored passwords to cookies, auto-fill information, and even session tokens. Much like a new romantic partner, many users do not realize they have been compromised until it is too late.
The keyword here is fresh, as threat actors now have access to valid billions of accounts.
Apple, Google, Facebook — all breached.
— â‚żits on Finance (@bitsonfinance) June 20, 2025
16B passwords leaked.
If your life depends on a login, you don’t own it.
Not your keys, not your coins.
Not your password, not your privacy. pic.twitter.com/9jXvbcLXJD
Google and Experts Warn Users to Change Passwords
Cybersecurity researchers have tracked down upwards to over 30 datasets that relate to this breach, and some have close to 3.5 billion records. This evidence suggests consultation and coordination of millions of compromised users all over the world.
Researchers were concerned this data could be used for phishing, identity theft, account takeovers, and financial fraud purposes.
If you have an account with Google or any other major online entity, the likelihood is high your very own information has been revealed. The time to act is now.
After the news of the breach has surfaced, Google immediately called on its users to act. The company is requesting, in fact imploring, its users to change their passwords right away and to enable two-factor authentication (2FA) to slightly increase the security of their accounts.
Google has also been very proactive promoting passkeys as a secure replacement to passwords; traditional passwords can be stolen; a passkey or biometrics, on the other hand - or a device PIN - are much harder to steal.
According to experts, enabling 2FA adds a level of security, and users should do so. Even if a password is leaked, a hacker would still require your phone or a physical security key to log in.
Using a password manager is also strongly encouraged; it is makes it easier to generate strong unique passwords for each site. A password manager keeps everything safe.
Not only verify and secure your Google account, but cybersecurity professionals would also advise auditing your other accounts too - all of them; naiking apps, email, shopping etc.
Most people use the same password for many accounts, so cyberscriminals will try the same login on many platforms as a matter of course.
The FBI will also likely remind the public of all the possible phishing attacks, account takeovers, or identity theft could arise from this breach, so if you take the necessary steps now to avoiding Christmas for fraud, you may remain fraud free, or at least for a bit longer.
