Source: securityboulevard.com – Author: Jeffrey Burt
The information about the 16 billion stolen records that were leaked on the internet is becoming clearer a couple of days after news of the exposed data was first released by Cybernews security researchers.
The initial report by the researchers sparked news accounts of a new data breach. However, the login credentials were not part of a massive, single breach. As the researchers noted, they were found in a collection of 30 exposed datasets they’ve discovered since the beginning of the year, with the datasets containing anywhere from tens of millions of records to more than 3.5 billion.
As argued in such sites as BleepingComputer and Techzine, the compilation of records doesn’t constitute a new or recent breach. That said, it shouldn’t be ignored, according to the Cybernews researchers.
The 16 billion login credentials, tied to a wide variety of online services like Google, Apple, Facebook, GitHub and Telegram, were briefly exposed, long enough to be seen by researchers but not enough to learn who was behind it, according to the Cybernews report. In addition, there were passwords and other credentials for a range of government services.
“This is not just a leak – it’s a blueprint for mass exploitation,” they said. “With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft and highly targeted phishing. What’s especially concerning is the structure and recency of these datasets – these aren’t just old breaches being recycled. This is fresh, weaponizable intelligence at scale.”
An Evolving Threat
It also could represent a change in how bad actors are obtaining stolen data, according to Cybernews researcher Aras Nazarovas.
“The increased number of exposed infostealer datasets in the form of centralized, traditional databases, like the ones found be the Cybernews research team, may be a sign, that cybercriminals are actively shifting from previously popular alternatives such as Telegram groups, which were previously the go-to place for obtaining data collected by infostealer malware,” Nazarovas said.
According to Cybernews, of the datasets exposed, only one – involving a database of 184 million records – had been previously written about. Most of the datasets were temporarily accessed via unsecured Elasticsearch or object storage instances, they wrote.
Most of the data found in the leaked datasets was gathered by bad actors through information-stealing malware, credential stuffing attacks – a widely used method that involves putting stolen usernames and passwords into a system’s login field to gain access and take over accounts that can then be misused – and repackaged leaks. The researchers also were able to show a clear structure used to store the information that included a URL that was followed by login details and a password, noting that most modern infostealers collect data in this way.
Data Fuels Attacks
Leaked or stolen data at such a scale can be used in phishing and ransomware attacks, account takeovers and business email compromise (BEC) campaigns, they wrote. The datasets “differ widely,” they added, noting that the smallest – with more than 16 million records – was named after malicious software, while the largest – 3.5 billion records – most likely was related to Portuguese-speaking people.
“It is unclear who owns the leaked data,” the researchers wrote. “While it could be security researchers that compile data to check and monitor data leaks, it’s virtually guaranteed that some of the leaked datasets were owned by cybercriminals. Cybercriminals love massive datasets as aggregated collections allow them to scale up various types of attacks, such as identity theft, phishing schemes and unauthorized access. A success rate of less than a percent can open doors to millions of individuals, who can be tricked into revealing more sensitive details, such as financial accounts.”
Security pros said the amount of data that was exposed is worrisome and should serve as another warning to users and organizations to harden their sign-on and other security practices, particularly given the focus of threat actors on identity. Tim Eades, co-founder and CEO of identity and security platform provider Anetac, noted that hackers systematically collect login data to use it for mass exploitation and that, at scale, stolen credentials are a commodity that are bought, sold and used in attacks.
Keeping CISOs Up at Night
“The part that keeps CISOs up at night? These records circulate for years,” Eades said. “The risk doesn’t go away, it only grows over time. Identity security has always been a game of cat and mouse, but with the mass deployment of AI agents, identity vulnerabilities are at an all-time high across the globe. This is a criminal operation at scale, enabling the exploitation of these overlooked vulnerabilities across organizations.”
Now is time for better security hygiene, according to Ignas Valancius, head of engineering at cybersecurity company NordPass. That includes changing passwords, check to see if personal or company credentials have been leaked, turning on multifactor authentication (MFA) and using passkeys, an alternative to passwords for authentication that is supported by the likes of Microsoft, Google, Meta and Apple.
It also means not reusing the same password for multiple accounts. He noted that in a survey this year, NordPass found that 62% of Americans, 60% of Brits and 50% of Germans to reusing passwords.
“After major data leaks, social engineering attacks tend to intensify, at least for a while,” Valancius said. “Breaches like this will probably expose a lot of people to social engineering attacks, so we all should be a bit more suspicious for some time. Be wary of unsolicited emails and messages, even if they seemingly are from Google, your bank, or even the police. If you receive such messages, be extremely careful because links can lead to pages that are designed to steal even more of your data. If you are not sure about the email or a message, it is better not to click on the link.”
Adding AI to the Mix
As is the trend, emerging AI tools only add to what is already an ongoing threat.
“This isn’t just about stolen credentials, it’s really about unlocking automated exploitation at scale,” said Ted Miracco, CEO of cybersecurity company Approov. “Agentic AI systems can leverage exposed APIs and mobile app vulnerabilities to become the perfect attack surfaces. With billions of credentials circulating, it’s not hard for autonomous agents to systematically test, breach and escalate. Weak or missing mobile and API protections are an open invitation for AI-driven intrusions. This is a convergence of data theft and autonomous weaponization.”
Recent Articles By Author
Original Post URL: https://securityboulevard.com/2025/06/16-billion-leaked-records-may-not-be-a-new-breach-but-theyre-a-threat/?utm_source=rss&utm_medium=rss&utm_campaign=16-billion-leaked-records-may-not-be-a-new-breach-but-theyre-a-threat
Category & Tags: Cloud Security,Cybersecurity,Data Privacy,Data Security,Endpoint,Featured,Identity & Access,Malware,Mobile Security,Network Security,News,Security Boulevard (Original),Social – Facebook,Social – LinkedIn,Social – X,Social Engineering,Spotlight,Threat Intelligence,Threats & Breaches,BEC attacks,credentials leak,Data breach,Phishing – Cloud Security,Cybersecurity,Data Privacy,Data Security,Endpoint,Featured,Identity & Access,Malware,Mobile Security,Network Security,News,Security Boulevard (Original),Social – Facebook,Social – LinkedIn,Social – X,Social Engineering,Spotlight,Threat Intelligence,Threats & Breaches,BEC attacks,credentials leak,Data breach,Phishing
Views: 4
