The Real Threat Behind the 16 Billion Credential Leak: Infostealers, Not Just Passwords

16 billion login credentials. That should be a number that makes you sit up and pay attention, right? But before you start panicking, it’s important to understand what’s included in this massive data leak recently reported by Cybernews, how you might be impacted, and actions you should take to protect yourself.

Last week, reports emerged of a massive new collection of over 16 billion stolen and/or leaked credentials that were exposed to the open internet. While the reporting is drawing a lot of clicks, it’s important to put it in perspective: this isn’t a new data breach. It reflects credentials either stolen by infostealers, a threat which has been well-documented and warned about for years now, or existing credential compilations sourced from data breaches or other sources.  

What data is included in the breach?

Since the beginning of the year, Cybernews’ researchers have discovered 30 exposed datasets containing tens of millions to over 3.5 billion records each. Some of the impacted companies include Apple, Facebook, Google, GitHub, Telegram, and some government platforms. It’s unclear how many unique accounts were exposed since the leak comes from multiple datasets, but there are certain to be duplicates and also likely manipulated entries, which is similar to the ALIEN TXTBASE leak where credentials were tweaked for brute-forcing purposes. The data set isn’t all new data and comes from a mix of infostealer malware, credential stuffing, and repackaged old leaks. The inclusion of old creds and database leaks reduces the overall impact of this leak if organizations and individuals already addressed these exposures through password resets, making these creds null and void.

Infostealers are the real threat

While some of the attention around this breach is overhyped, it highlights the persistent threat from infostealers to individuals and organizations alike. This poses an elevated threat to organizations without MFA or good password hygiene practices. This data leak includes old and recent infostealer logs, often with tokens, cookies, and metadata. Stealers commonly grab more information than just credentials—they also go after other data that can be monetized on the dark web or used to conduct follow-up attacks. For instance, infostealers often check the specific OS version and security systems on an infected machine. This allows attackers to determine the best way to operate and find sensitive information. Stealers have also increasingly targeted session tokens to be used in pass-the-cookie attacks, which we expect to see more of as passkey adoption gets picked up.

Stolen information from stealers can serve as initial access for other more damaging attacks like ransomware. Huntress’s 2025 Cyber Threat Report found that infostealers drove nearly a quarter (24%) of all cyber incidents in 2024. Their analysis showed a 104% year-over-year increase in infostealer detections, with small and medium-sized businesses (SMBs) hit hardest due to limited resources. Recent incidents, like the Nobitex crypto exchange breach where Redline stealer compromised two employees’ credentials and led to an $81.7 million loss, underscore their impact.

While law enforcement action has disrupted some activity—like the recent Lumma takedown operation—this threat is not going anywhere anytime soon. Stealers will continue to adapt to defensive security measures to remain effective.

What to do if your information is included in this dataset?

Anyone with an account at the reported impacted sites or reuses passwords associated with them should take immediate action. The reporting highlights the importance of taking the proper precautions to protect yourself against this and any other similar breaches, including: 

• Using complex and unique passwords for every account (to make your password harder to guess and to limit potential exposure in the event your password to that account is stolen or leaked) and managing these passwords in a password manager.
• Monitoring for exposed credentials on the dark web and taking prompt action to change your password when you have been notified you are at risk.
• Using multi-factor authentication (MFA) for EVERY account where it is available. Ideally, use FIDO2-compliant MFA options such as biometrics, PINs, mobile devices, or security keys.
• As more organizations are offering passkeys for authentication, make the switch as soon as you are able. LastPass offers passkey storage, and passkeys are phishing resistant and easy to use.  

What are the broader implications?

Data breaches have been on the rise for years, and this trend is expected to continue. Massive leaks can fuel a wide range of malicious activity, as the exposed information provides opportunities for attackers to launch attacks from phishing scams and account takeovers to ransomware attacks and business email compromise. The leaked data, particularly credentials, can be used for credential stuffing attacks where attackers try combinations of stolen usernames and passwords on different online platforms. This takes advantage of the fact that many users reuse passwords. Stolen credentials could lead directly to account takeovers, providing hackers access to sensitive data and systems. Accounts without an additional layer of security like MFA or passkeys are especially at risk. Threat actors can also use leaked personal data to craft more convincing phishing and social engineering attacks, which could make it easier to trick users to provide sensitive details or downloading malware.

With this bulk dataset widely available in a centralized location and the increasing adoption of automation and LLM tools, this could enable threat actors to launch automated attacks more easily, particularly through credential stuffing and session hijacking. The sheer volume of leaked data makes manual exploitation impractical, but attackers can rapidly increase the scale and speed of attacks with automated scripts and tools. The use of LLMs to incorporate information from the leak and enhanced with open-source searches of targeted individuals increases the threat of highly targeted and convincing social engineering attacks.