The largest known password leak in history has been confirmed. Cybersecurity researchers have uncovered a massive breach involving 16 billion login credentials, including usernames and passwords, affecting services such as Apple, Google, Facebook, Telegram, GitHub, VPNs, developer platforms, and even government portals.

The investigation, conducted by the Cybernews research team, revealed 30 separate data sets, each containing between tens of millions and 3.5 billion records. Most of these databases had never been leaked before. Only one previously known leak — a database of 184 million passwords — was included. The rest of the 16 billion entries consist entirely of newly exposed credentials.

The leaked data follows a standard format of URL, username, and password combinations. According to the researchers, this dataset provides access to “almost every online service imaginable” and represents a significant threat on a global scale. They described the breach not just as a leak, but as “a blueprint for mass exploitation.”

Unlike older breaches being recycled, this data is considered fresh and highly usable. Experts warn that such credentials are likely to be used in phishing campaigns, account takeovers, and identity theft. Because these are real and recent login credentials, attackers can use them at scale with alarming effectiveness.

Darren Guccione, CEO and co-founder of Keeper Security, emphasized that not all password leaks are due to malware. Many stem from misconfigured databases left exposed online. He warned that this leak could be just the visible part of a much larger problem, with unknown quantities of sensitive data sitting unsecured in cloud environments.

Guccione urged both consumers and organizations to take immediate action. For individuals, this includes using password management tools, enabling multi-factor authentication, and setting strong, unique passwords for every service. He also highlighted the importance of dark web monitoring tools, which can notify users if their credentials have been exposed online.

On the enterprise side, Guccione advised adopting zero-trust security models to ensure all access to sensitive systems is verified, authorized, and logged — no matter where the data resides.

Javvad Malik, lead security awareness advocate at KnowBe4, added that cybersecurity is a shared responsibility. Organizations must protect their users, and individuals must remain vigilant against credential theft. He urged people to create strong passwords and use two-factor authentication wherever possible.

The origin of the 16 billion credential breach has not been definitively confirmed. However, researchers suspect it results from the combined activity of multiple infostealer malware campaigns.

As these credentials circulate on the dark web, often sold for minimal amounts of money, the risk of targeted attacks increases dramatically. Experts are calling on users to act without delay — to change their passwords, stop reusing them across platforms, and migrate to more secure technologies like passkeys.