16 Billion Logins Leaked in a Mega Breach. Could Yours Be Too?

Cybersecurity researchers have discovered a record-breaking 16 billion exposed login credentials. A report by Cybernews says the stolen data includes accounts linked to multiple governments, as well as Google, Facebook, Telegram, and other services.

Since the beginning of 2025, the Cybernews team has found 30 leaked datasets, each containing anywhere from millions to more than 3.5 billion records. Researchers note that these are new breaches, not recycled data from old leaks, except for one dataset of 184 million records, which was reported in May 2025 by Wired. Among the obtained data were URLs, login details, and passwords.

Biggest Leaked Dataset Tied to Portuguese-Speaking Users

The 16 billion exposed login credentials came from multiple datasets, with the smallest containing 16 million records. Researchers say the largest dataset, holding over 3.5 billion records, appears to be linked to Portuguese-speaking users. Another sizable dataset with 455 million records likely affected Russian-speaking users. There's also one with more than 60 million records labeled “Telegram.”

Researchers warn that massive new datasets are appearing every few weeks, highlighting how widespread infostealer malware has become. In January 2024, a supermassive breach exposing 26 billion records was discovered by cybersecurity researcher Volodymyr “Bob” Diachenko and the Cybernews team. Known as the Mother of All Breaches (MOAB), it's considered the largest data leak in history.

This is not just a leak – it’s a blueprint for mass exploitation. With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing,

– Cybernews team says.

While it’s still unclear who was behind the breach, researchers say the files were only briefly accessible before being locked or removed from open storage systems. Crypto holders have also become targets of data theft. In March 2025, for instance, the Android malware Crocodilus bypassed security measures to access users’ crypto wallets.

Minimizing Online Risks: An Actionable Guide to Stay Safe

Data breaches are a constant threat, but you can significantly boost your security with a few key steps:

1. Switch to Passkeys. This is the single most effective upgrade. Passkeys are passwordless logins that use your device’s built-in security (like a fingerprint or face ID). They can’t be phished or stolen in a data breach. Google, Apple, and Microsoft all support them.

2. Check if You’ve Been Compromised. Use a free service like Have I Been Pwned. Simply enter your email address to see if it has appeared in any known data breaches. This gives you a quick reality check on which accounts need immediate attention.

3. Enable Two-Factor Authentication (2FA) Everywhere. Even if a hacker has your password, 2FA acts as a critical second barrier. Prioritize authenticator apps (like Google Authenticator) over SMS-based 2FA, which is less secure.

4. Stop Reusing Passwords. Use a password manager to generate and store unique, strong passwords for every single service you use. This contains the damage if one site is breached.

For the most privacy-focused users, decentralized identity solutions like Ethereum Name Service (ENS) or SpruceID offer a way to control your own credentials, but these are more advanced solutions.

Understanding how much your personal data is actually worth can be a wake-up call; this breakdown shows the true price of your privacy and why protection matters.

No single tool is perfect, but combining these practices makes it much harder for hackers to compromise your digital life.