

Security researchers at Cybernews have detailed the discovery of 16 billion login credentials found online, but despite suggestions from some media outlets and commentators that it represents one of the largest data breaches in history, the cache is not the result of a single incident.
Instead, it’s a compilation of data from about 30 different datasets, largely made up of credentials harvested by infostealer malware and exposed via unsecured cloud storage.
The researchers uncovered the exposed user data across multiple unsecured Elasticsearch instances and cloud repositories that had been left publicly accessible. The data did not come from a high-profile hack of any major platform such as Google LLC, Facebook or Apple Inc., but instead appears to have come from compromised devices infected with infostealer malware.
Each of the discovered datasets varied in size, with the largest having more than three billion records. The combined total of 16 billion credentials likely includes a significant number of duplicate entries and reused passwords, meaning that the number of unique individuals affected is smaller, but still substantial.
What makes the news interesting compared with other mass data exposures is not the scale but the freshness of the data. Many of the credentials were harvested recently, increasing the likelihood that they are still valid and usable in credential-stuffing or phishing attacks.
Cybernews does note that the discovery should not be confused with a traditional breach where attackers compromise a centralized database or corporate network and that there is no evidence that any of the major platforms referenced in the logs were directly compromised. Instead, the credentials appear to come from users who were infected by malware, likely through phishing emails, malicious downloads or cracked software, and whose data was subsequently dumped into loosely secured storage buckets.
The 16 billion records in this case, though worrying, also differ from the actual largest known breach of all time, the so-called “Mother of All Breaches” disclosed in early 2024. That included more than 26 billion records aggregated from thousands of known breaches across more than a decade, including data from LinkedIn, Twitter, Dropbox Inc. and Adobe Inc. That data was in one dataset, unlike the 30 different datasets in the current case, although it was also largely composed of older, previously known records.
The newly discovered credentials may be smaller in absolute numbers and not in one dataset, but the recency and structure make it uniquely dangerous. The data is said by the researchers to be well-organized, indexed and tailored for immediate use in cyberattacks.
Although the databases were removed shortly after Cybernews reported them, the window during which they were exposed was long enough for others to download and redistribute the data. In practice, credential dumps rarely disappear after first exposure, as they are often re-uploaded to dark web forums, Telegram channels or hacker marketplaces.
Brian Soby, co-founder and chief technology officer at software-as-a-service security platform provider AppOmni Inc., told SiliconANGLE via email that the data “gives cybercriminals a roadmap for widespread account takeovers that could bypass traditional security measures with ease” and that “every login to a SaaS platform and every cloud service accessed is now a potential entry point for attackers.”
THANK YOU