A recent surge of sensationalist headlines warning about a ’16 billion credentials leak’ has caused serious concern across the digital world. At first, it seemed like this might be the biggest data breach in history, with claims that billions of usernames and passwords had suddenly been leaked online. However, cybersecurity experts are now clarifying that this is not the result of a single, new data breach. Instead, it is a huge collection of stolen data gathered from many old leaks and malware infections that have happened over the past ten years.
The dataset, discovered on a hacker forum, includes over 30 major databases, with individual segments containing anywhere from tens of millions to more than three billion records. In reality, most of the data in this leak has already been traded, sold, or shared among cybercriminals for years. What is new is simply the scale of how much of it has been compiled in one place and made widely available all at once.
Most of the information in this collection comes from something called ‘infostealer malware’, reports Bleeping Computer. These are harmful programs that secretly infect a person’s computer and steal data stored in their web browsers and apps. This can include usernames and passwords, cookies (which help websites remember who you are), autofill information like your name and address, and even tokens that let someone stay logged into your account without needing your password again. These malware programs (like RedLine, Raccoon, Vidar, and others) have been around for years and are widely used by hackers to collect personal data. Meanwhile, the rest of the leak is made up of data from old breaches involving popular companies and services like LinkedIn, Twitter, Netflix, and many others.
According to cybersecurity firm Hudson Rock, on average, one device infected by infostealer malware gives up about 50 credentials. So, to collect 16 billion real credentials, hackers would need to infect about 320 million devices (but that number is far too high compared to real cases). This also suggests that the leak is likely filled with repeated, outdated, or even fake data just to make it look more serious than it really is. There are even examples in the past, like the ALIEN TXTBASE leak, where fake or randomly generated credentials were inserted to inflate the size and impact of the dump.
However, despite the fact that this leaked data dates back years, it still continues to pose a threat when the information has not been changed or protected. It includes old but still usable data, like passwords and session tokens, which can be exploited through credential stuffing and can even bypass two-factor authentication. Attackers may use this information for phishing, identity theft, or hijacking cryptocurrency wallets. Therefore, many experts urge users to update reused passwords, enable multi-factor authentication, and scan devices for malware.
