Cybersecurity researchers have discovered the largest data breach in history, with 16 billion passwords belonging to Apple, Facebook, Google and Government services being leaked online in what experts are calling the "mother of all breaches".
The massive exposure consists of 30 datasets containing billions of individual login credentials that were temporarily accessible on the internet before vanishing again.
The breach has prompted urgent action from tech giants and authorities. Google has advised billions of users to change their passwords immediately, whilst the FBI has issued warnings against opening suspicious links in SMS messages.
Security experts describe the leak as "not just a leak" but "a blueprint for mass exploitation".
A warning has been issued by the FBI
GETTY
The datasets, discovered by researchers from cybersecurity site Cybernews, contain anywhere from tens of millions to over 3.5 billion records each.
All but one of these datasets are newly discovered, meaning the vast majority of the information is fresh and has not previously been reported as compromised.
The leaked credentials follow a familiar structure: URLs followed by usernames and passwords, the same format typically collected by modern infostealers. Some datasets had vague names like "logins" or 'credentials,' making it difficult for investigators to determine their origins.
The breach is believed to result from a mix of sources, including credential stuffing lists, stealer malware, and repackaged past leaks.
LATEST TECH NEWS
- BYD prepares UK launch of 'game changer' technology that charges electric cars in just five minutes
- Use a Samsung phone or tablet? Your account will be DELETED if you miss crucial deadline next month
- Amazon reveals new perk for millions of Prime subscribers, but it's only available for 96 hours next month
Meta users have been issued with a warning
PAThe compromised data grants potential attackers access to "pretty much any online service imaginable," researchers warned. One dataset containing over 455 million records was linked to the Russian Federation, whilst another with more than 60 million entries appeared to be sourced from Telegram.
The largest dataset alone contains over 3.5 billion records and appears to be tied to a Portuguese-speaking population, according to Cybernews.
"With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing," the researchers said.
"What's especially concerning is the structure and recency of these datasets - these aren't just old breaches being recycled. This is fresh, weaponisable intelligence at scale."
Security experts strongly advise users to take immediate precautions. "Organisations need to do their part in protecting users, and people need to remain vigilant and mindful of any attempts to steal login credentials," said Javvad Malik, head security awareness advocate at KnowBe4.
Former NSA cybersecurity expert Evan Dornbush warned against using "the same password at multiple sites," explaining that "if an attacker steals a password from one database and the individual has reused it elsewhere, then the attacker can gain access to those accounts as well".
Professor Alan Woodward, from the University of Surrey, said the breach suggests "the new paradigm in security: that you should assume any data stored digitally will be breached".
Experts recommend using password managers, enabling two-factor authentication, and avoiding password reuse across multiple accounts.
Most Read
