16 billion passwords just leaked. Is it time to change yours? 

Executive summary 

  • Researchers from Cybernews recently uncovered thirty separate datasets on the dark web, containing around 16 billion sets of user credentials for various different web services.  
  • The data found within these databases include login URLs, plaintext passwords, social media profiles, VPNs, developer portals, and even government applications. 
  • This large-scale breach is a (big) reminder to all organisations to ensure measures like multi-factor authentication and passkeys are up and running at all times.  

Introduction 

Imagine simply handing your house keys to a total stranger. 

That’s essentially what’s happened as part of what might be the world’s biggest data breach. Credentials for millions of services, including social media sites, VPNs, developer portals, and even government sites, have been compiled into huge databases discovered by independent media outlet Cybernews.  

While password breaches are nothing new, it’s the scale that’s most concerning, with at least 16 billion records compromised.  

Let’s unpack what happened, what’s been stolen, and what it means for your organisation’s cybersecurity posture.  

The bottom line: what really happened? 

Security researchers at Cybernews have spent months scouring various underground markets and forums on the dark web to identify potential leaks and breaches.  

As originally reported on June 18th, these researchers managed to locate around 30 different datasets, each containing up to 3.5 billion compromised records. In total, the number of records easily reached 16 billion – any of which could potentially spell disaster for individuals or businesses alike.  

While the databases were only exposed online for a short period of time, all it takes is a few seconds for malicious parties to harvest valid data and begin phishing campaigns, ransomware attacks, or even straightforward hacks.  

What type of data has been stolen? 

Because of the sheer volume of the data leaked here, it’s hard to say exactly what might be found in each of the databases.  

That said, it’s clear that login credentials are included for popular platforms like Google, Facebook, Apple, GitHub, and more. The databases were labelled in such a way that there was basically no ambiguity about what was held within – think names like “logins”, “leaked_credentials”, and “socialprofiles”.  

So how did this happen? The most likely culprit is what’s known as infostealer malware.  

What is infostealer malware? 

Unlike the headline-hitting ransomware that locks you out of your files and demands cash, infostealers are sneakier – and arguably more dangerous in the long run.  

They don’t make noise. They don’t cause immediate chaos. They just sit quietly on infected devices, monitoring and recording sensitive data like saved logins, cookies, session tokens, autofill details, browser histories and even crypto wallet credentials. 

And that’s exactly what fuelled this latest leak. 

The 16 billion credentials now floating around the dark web weren’t stolen in a single, dramatic breach. There was no central system hacked. Instead, they were hoovered up by infostealer malware over months or even years, from thousands of compromised personal and business machines. Once harvested, the stolen data was bundled into tidy databases – complete with login URLs and timestamps – then posted online, ready to be sold, shared or exploited. 

Why this matters to your business 

A single compromised password can open the door to a corporate crisis.  

Imagine an attacker using stolen VPN credentials to slip inside your network. From there, they could harvest customer data, deploy ransomware, or launch a business email compromise. And because so many people re-use passwords, that initial breach often leads to a cascade of compromises across multiple systems.  

The financial and reputational fallout can run into the millions – not to mention regulatory fines for data protection failures. 

What to do right now to protect your organisation 

Our goal in reporting leaks like this isn’t to worry you, but rather to raise awareness of these leaks and how easily UK businesses can fall foul of them.  

But fear not – there are plenty of measures you can take right now to mitigate the risk of data breaches in your business.  

  1. Enforce multi-factor authentication (MFA). The absolute bare minimum these days is to enable MFA for all of your critical systems. 
  2. Implement strict password policies. Mandate unique, complex, passwords with a requirement to change them regularly.  
  3. Deploy passkeys. Replace reusable passwords with phishing-resistant cryptographic key pairs stored on devices. (It’s much easier than you might think to set up).  
  4. Use a secure password manager. Generate and safely store strong credentials so staff aren’t tempted to re-use or jot them down. 
  5. Monitor for exposed credentials. There are many dark web monitoring services available to give you instant alerts when your domains or employee email addresses appear in leaks. 
  6. Educate your team. Perhaps most importantly, we’d strongly encourage you to run regular training sessions and phishing simulations to keep security top of mind. Ask the team if you’d like to know more about setting this up.  

            Want to pressure-test your cybersecurity? 

            Even when you’re ticking all the boxes, there’s always a risk that something slips through the net.  

            So, if you’re at all concerned about the risk of cybersecurity breaches, just ask your Get Support Customer Success Manager, or call our team on 01865 594000. Our cybersecurity experts will be happy to offer personalised advice tailored to your company and how you’re set up.