Blog Trainings Request a Demo Login
Free Trial
Dark Web Report
SOCRadar® Cyber Intelligence Inc. | 16 Billion Password Leak, Not New, Still Dangerous: What You Need to Know?
Free Dark Web Report
Is your Domain Exposed? Find Out.
Table Of Content
Moon
Home

Resources

Blog
Jun 20, 2025
5 Mins Read

16 Billion Password Leak, Not New, Still Dangerous: What You Need to Know?

A recent headline from Cybernews made waves online. It claimed that over 16 billion credentials had been “leaked” in what some called the most significant data exposure in history. The number is eye-catching. But is it a brand-new breach?

Not quite.

What the Report Claimed

Cybernews reported the discovery of one of the largest exposures of login credentials to date—a total of 16 billion records found across 30 newly uncovered datasets. These include usernames, passwords, cookies, tokens, and other sensitive information.

The credentials reportedly originate from infostealer malware and were gathered from a wide range of services, including Google, Facebook, Apple, Microsoft, Telegram, and more. The report emphasizes that the datasets appear to be recent, not just recycled from old breaches, and were likely collected through various active stealer campaigns.

What’s Going On

Despite the alarming headlines, this is not a brand new breach. The data seems to come from logs collected by infostealer malware possibly over the past several years. These logs include usernames, passwords, cookies, and other sensitive data pulled from infected devices.

What surfaced recently looks like a compilation of those logs. Threat actors likely bundled data from thousands of older infostealer incidents into a single archive. While the collection itself may have been posted or indexed recently, the majority of the content is not newly stolen.

Why It Still Matters

Although this isn’t a new breach, the data in these stealer logs remains highly dangerous. Infostealer malware doesn’t just collect passwords–it gathers much information from the user’s session and environment, which can be exploited in very practical ways.

The screenshot below shows a typical data listing from a stealer market on SOCRadar platform.

SOCRadar Threat Hunting allows you to search for specific domains, emails across Stealer logs

SOCRadar Threat Hunting allows you to search for specific domains, emails across Stealer logs

In addition to obtaining multiple credentials from a machine, these logs are turned into combo lists in various ways.

These logs are structured, searchable, cheap, and even free. Threat actors use them to:

  • Bypass 2FA with stolen session cookies

  • Access corporate VPNs or developer tools

  • Exfiltrate crypto wallets or internal documents

  • Build targeted phishing based on system and browser metadata
SOCRadar Identity & Access Intelligence tracks exposed identities from leaks and stealer logs, helping detect compromised access details like usernames, emails, and URLs

SOCRadar Identity & Access Intelligence tracks exposed identities from leaks and stealer logs, helping detect compromised access details like usernames, emails, and URLs

Unlike password leaks alone, stealer logs often contain live access tokens, environment context, and even multi-device fingerprints. Attackers can automate exploitation using these details, especially when logs are sold in bulk or filtered by target (e.g., “finance companies in the US” or “Google Workspace users”).

So, while it’s not new, it’s still a threat.

  • For a deep dive into how infostealers collect and distribute this information, see our blog:The Anatomy of Stealers

How to Protect Yourself

If you suspect your data might be in a collection like this—or just want to stay on the safe side–SOCRadar Free Edition offers credits for basic threat hunting. To reduce your risk, follow these key steps:

  • Change your passwords, especially on any account where you’ve reused them.
  • Enable two-factor authentication (2FA) to block access even if someone has your password.
  • Use a password manager to store and generate strong, unique passwords.
  • Stay alert for phishing or strange activity on your accounts.
  • Scan your system for malware to make sure no infostealers are active.

Final Thoughts

Infostealer malware can extract hundreds of credentials from a single infected machine, often including personal, work-related, and reused passwords. When those credentials offer access to corporate systems or admin panels, even a small log can lead to major damage.

The real issue isn’t just this latest “leak.” Logs like these have been circulating for years across dark web forums, private Telegram channels, and stealer markets. They continue to power phishing, credential-stuffing, and ransomware attacks.

SOCRadar Identity & Access Intelligence

SOCRadar Identity & Access Intelligence

According to Verizon, nearly a third of data breaches in the past decade involved stolen credentials. So while this particular archive isn’t a new breach, it’s part of a much larger, ongoing threat.

The stealer ecosystem is active, growing, and still poorly mitigated across many sectors.

Related Articles
SOCRadar® Cyber Intelligence Inc. | CVE-2025-20309: Cisco Unified CM Flaw Enables Remote Root Access
CVE-2025-20309: Cisco Unified CM Flaw Enables Remote Root Access
Jul 03, 2025
SOCRadar® Cyber Intelligence Inc. | CVE-2025-49596: Critical Flaw in Anthropic’s MCP Inspector Leads to RCE
CVE-2025-49596: Critical Flaw in Anthropic’s MCP Inspector Leads to RCE
Jul 02, 2025
SOCRadar® Cyber Intelligence Inc. | CVE-2025-6554: Chrome’s New Zero-Day Under Active Exploitation
CVE-2025-6554: Chrome’s New Zero-Day Under Active Exploitation
Jul 02, 2025
SOCRadar® Cyber Intelligence Inc. | How Are North Korean IT Workers Hacking the Global Remote Job Market?
How Are North Korean IT Workers Hacking the Global Remote Job Market?
Jul 01, 2025
SOCRadar® Cyber Intelligence Inc. | CVE-2025-20281 & CVE-2025-20282: Critical Cisco ISE Vulnerabilities Allow Root-Level RCE
CVE-2025-20281 & CVE-2025-20282: Critical Cisco ISE Vulnerabilities Allow Root-Level RCE
Jun 27, 2025