Recommended reading

16 billion accounts exposed in one of the largest data breaches in history — enormous data haul holds two accounts for every human alive

News
By published

Another major security event acts as a stark reminder to regularly change passwords and login credentials.

3D illustration of several file cabinets full of folders.
(Image credit: Shutterstock)

One of the largest data breaches ever seen has recently hit the public, sharing 16 billion brand-new leaked login credentials. While major data breaches of this scale are typically full of billions of previously leaked credentials, today's megaleak is made of almost entirely previously unreported databases.

Cybernews, the team responsible for IDing and cataloging a significant number of previous major leaks, assembled the datasets making up this most recent 16B leak. Only one dataset in the breach, a 184 million-record batch reported by Wired, had been previously reported. The rest are all new from all over the world, including three distinct batches that held over 1 billion credentials each.

The datasets that make up the 16B breach are largely unconnected and have been uncovered by security researchers since January. The largest batch, sourced from Portuguese-speaking populations, contains 3.5 billion credentials, with other major batches named after Russian logins, Telegram logins, and a host of largely generic names.

Concerningly, it is not yet known who originally owned most of the data batches making up the breach. This means that clear action items to wipe your data from these collections cannot be issued, nor can researchers tell what attacks were being considered for the data.

As with all mega security breaches, the 16B mystery leak serves as a loud reminder to practice clean internet hygiene by choosing secure passwords that are changed semi-regularly. The breach has not yet hit the same notoriety as other, snappier-named breaches like the RockYou2024 breach or the 26-billion-logins MOAB breach, meaning data brokers may not have exploited the logins.

It also means that databases that serve to warn users about their compromised data have not yet been populated with the leaked accounts. Internet browsers like Firefox or Chrome that warn users of compromised credentials or third-party tools like Cybernews' data leak checker haven't yet been updated with the newly revealed stolen credentials.

Large collections of stolen credentials like the ones making up this megaleak are often used in major digital offensives like phishing scams or other attacks that scale up well. So ,beyond ensuring your passwords are safe and haven't gone unchanged in 10+ years, being wary of phishing and other likely scams is also good internet safety that should always be practiced, especially in the wake of cybersecurity events like this one.

Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.

Sunny Grimm
Sunny Grimm
Contributing Writer

Sunny Grimm is a contributing writer for Tom's Hardware. He has been building and breaking computers since 2017, serving as the resident youngster at Tom's. From APUs to RGB, Sunny has a handle on all the latest tech news.

9 Comments Comment from the forums
  • Math Geek
    it should be a crime to not encrypt any and all data help by ANY company. CEO, head of IT/security, and anyone else making such decisions should spend lots and lots of time in jail for every breach of usable data.

    there's just no excuse these days to have important/confidential data unencrypted during any storage phase.
    Reply
  • bit_user
    The article said:
    Another major security event acts as a stark reminder to regularly change passwords and login credentials.
    If the leak came from a browser hack, then you'd want to make sure it's patched before changing your passwords. That's why I think it's important to see if we can get more info about it. I guess there's probably no harm in changing them twice, but simply changing them might provide a false sense of security.
    Reply
  • bit_user
    Math Geek said:
    it should be a crime to not encrypt any and all data help by ANY company. CEO, head of IT/security, and anyone else making such decisions should spend lots and lots of time in jail for every breach of usable data.

    there's just no excuse these days to have important/confidential data unencrypted during any storage phase.
    Eh, it's such a large number and covering such a diverse range of service providers, some which take security rather seriously, that it's pretty clearly not a simple case of failing to take such basic steps in securing authentication data. That's why my thoughts immediately go towards a more fundamental exploit, like a browser hack.
    Reply
  • Neilbob
    Not quite related to passwords and such like, but stuff like this is why I never, ever save my card details or store any other financial things if I'm forced to buy something online. They almost all ask to 'make it quicker and easier in future'.

    I think I'd rather take the extra minute to enter the details manually than risk some nefarious character getting hold of it just for the sake of convenience.
    Reply
  • mrdoc22
    When users are requested to change they password reguarly they just a number to the old one.
    (Secure) LOL.
    Reply
  • USAFRet
    Yet again, my credentials are subject to "outside", through no fault of my own.

    I can keep my data safe.
    But it seems they cannot keep my data safe.
    Reply
  • USAFRet
    Neilbob said:
    Not quite related to passwords and such like, but stuff like this is why I never, ever save my card details or store any other financial things if I'm forced to buy something online. They almost all ask to 'make it quicker and easier in future'.

    I think I'd rather take the extra minute to enter the details manually than risk some nefarious character getting hold of it just for the sake of convenience.
    I do the same.

    But it makes no difference when their system is compromised.
    Reply
  • mrdoc22
    No need for databases and encryption,
    just save the passwords in a textfile and use SHA-128.
    (irony may occur)
    Reply
  • Bob.B
    Admin said:
    A collection of entirely new data leak datasets has been uncovered by security researchers, exposing 16 billion new records to the public. The data was sourced from around the world, with breaches on this scale easily contributing to massive future attacks.

    16 billion accounts exposed in one of the largest data breaches in history — enormous data haul holds two accounts for every human alive : Read more
    At a base level set up all bank and cc accts to send a text/e-mail for all activity.
    Reply