Stolen data keeps surfacing on the internet – unfortunately, that's nothing new. But what security researchers at Cybernews have now discovered is unprecedented on this scale. They found around 16 billion login credentials in a total of 30 databases. These include usernames, passwords, and email addresses from various sources. What's particularly worrying is that the majority of this data was previously unknown to the public. If you use online services – be it social networks, emails, or cloud services – you should check whether your login credentials are secure now, at the very latest.
Security gaps, phishing, malware – the attack surfaces on the internet are diverse. It's well known that login credentials repeatedly fall into the wrong hands. What Cybernews has now published takes this to a new dimension: Researchers discovered around 16 billion stolen login credentials compiled from various leaks and sources. Some of them apparently originate from platforms such as Facebook, Google, Apple, or VPN services. Much of this data has not been collected or published before. This means that most of it is new, previously unknown information – not simply old leaks resurfacing.
What exactly was discovered?
A total of 30 different data sets with approximately 16 billion login credentials were discovered. These contain combinations of email addresses, usernames, and passwords. According to Cybernews, the information comes from social media platforms, corporate systems, and VPN services, among others. The smallest of the discovered databases contains approximately 16 million access credentials, while the largest single data set comprises approximately 3.5 billion logins and presumably originates from Portugal.
Has the data already been published?
Not all of these databases are publicly accessible. Some may have been collected by security researchers to analyze leaks or improve monitoring tools. Others are likely in the possession of cybercriminals. This means they can be used for illegal purposes such as phishing, identity theft, or direct access to online accounts.
What makes this data particularly dangerous?
Cybernews warns that the data sets are not just a compilation of older leaks. Much of the data is current, well-structured, and therefore particularly easy to exploit. The experts even call it a "blueprint for mass exploitation." The sheer volume of stolen login credentials increases the risk that your personal data is also affected – even if you haven't noticed it yet.
How many people are affected?
Exact numbers are impossible to provide because many datasets overlap. Nevertheless, one thing is clear: With a total of 16 billion entries, there's a high probability that your login credentials are also affected—especially if you reuse your login credentials multiple times or haven't changed them in a long time.
How can you protect yourself?
We recommend digital precautions. This includes some basic measures:
- Change your passwords regularly, especially if you use the same combination for multiple services.
- Use a unique, strong password for each online service. A password manager is the best way to help you with this. Apple users are recommended to use Apple's Passwords app.
- Enable two-factor authentication (2FA) everywhere. This provides additional protection in case your login credentials fall into the wrong hands.
- Even more secure are so-called passkeys. They work without a password and are based on a system with two digital keys – one on your device, the other on the service's server. Only if both keys match do you gain access. This method offers significantly better protection against phishing and data theft because traditional passwords are no longer stored or transmitted.
Technical background on passkeys
Passkeys completely replace passwords. One digital key is stored locally on your device, and a second on the service provider's server. When you log in, the keys are checked to see if they match – and only then do you gain access. No password is transmitted or stored. This makes it extremely difficult for attackers to gain access. Phishing, keyloggers, or stolen databases are useless in this case.
Your login details are vulnerable – here's how to protect them
The discovery of 16 billion stolen login credentials shows how great the risk has become for everyone. Even if you think you're well protected, it's worth reviewing your security measures now. Avoid repeating passwords, enable two-factor authentication, and learn about the use of passkeys. This way, you can reduce the risk of your login credentials being misused—even if you've already been part of a data breach without even knowing it. (Image: Shutterstock / Alena Ivochkina)
