A staggering 16 billion passwords tied to major online service providers—including Apple, Google, Facebook, and more—have reportedly been leaked in what may be one of the largest data breaches ever recorded. The fallout could have serious implications for individuals and organizations, particularly in the cryptocurrency space.
According to a report released Friday by the Cybernews research team, analysts uncovered 30 separate exposed databases, each containing tens of millions to over 3.5 billion records. When combined, the data sets held a total of approximately 16 billion usernames and passwords.
The report stated that only one of these breaches had been previously documented—an unidentified database with 184 million entries. On average, each leaked database held around 550 million credentials, with the smallest still containing over 16 million.
Cybernews warned that this unprecedented trove of login information could be weaponized for large-scale attacks. The data is believed to have been exposed via unsecured Elasticsearch and cloud storage instances, a frequent vulnerability exploited by cybercriminals.
The breach spans nearly every corner of the internet. Cybernews researchers say the credentials provide access to a wide array of platforms, including Apple, Google, Facebook, GitHub, Telegram, and even government services. The leaked data also contains so-called “infostealer” dumps—malicious data collections that include authentication tokens, browser cookies, and metadata—greatly increasing the potential for damage.
While the origin of the breach remains unclear, experts say it is “virtually guaranteed” that at least some of the datasets were compiled and used by criminal actors.
The crypto industry, already a frequent target for cyberattacks, may be especially vulnerable in the wake of this leak. Experts predict a wave of credential-stuffing attacks, especially targeting custodial wallet services or crypto platforms linked to compromised email accounts.
Some users store seed phrase backups or private keys in cloud storage, potentially exposing their assets if those credentials were among the leaked information.
In response, security professionals are urging users to immediately update passwords, enable two-factor authentication (2FA), and never store sensitive recovery information in unsecured digital locations. Exchanges may also take proactive steps to protect users, including password resets and enhanced login security protocols.
This breach highlights ongoing weaknesses in password security and the need for stricter authentication standards across the digital landscape.