Latest news with #passwordleak
Forbes
30-06-2025
- Forbes
Is The Truth Behind The 16 Billion Passwords Leak Finally Revealed?
An exclusive new analysis of the 16 billion passwords leak database. When I reported on the leak of approximately 16 billion credentials, including passwords, that involved prominent names in the consumer tech sector, such as Apple, Facebook, and Google, I knew it was a significant story. Still, I never expected it to go viral in the way that it did. That article currently has more than 2 million views from all around the world. As I said from the get-go, the findings, from CyberNews researchers, concerned a leak, or more accurately leaks, rather than a breach of any centralized database. This didn't stop others from reporting the latter, and the story blew up out of all proportion. In an attempt to keep on top of the situation, I updated the original article as soon as new information was forthcoming, including the fact that numerous cybersecurity professionals had contested the claim that the data was new, rather than a compilation or aggregation of already leaked, compromised old credential datasets. Now, Group‑IB's Threat Intelligence & Attribution team has exclusively shared with me the results of an in-depth analysis of samples claiming to contain 16 billion compromised credentials, and this is what it revealed. The 16 Billion Passwords Leak Analyzed Semyon Botalov, a cyber intelligence analyst with Group‑IB's Threat Intelligence & Attribution team, has exclusively shared the results of an in-depth analysis of samples from what it says are the leaked datasets, with me through email conversations. Botalov said Group-IB obtained samples from a repository described as containing 16 billion compromised Apple, Google, and Facebook credentials, and was part of the team that undertook a comprehensive review to verify data provenance, freshness, and potential impact of the information contained within. The investigation began by gathering every accessible sample and filename mentioned in publicly shared screenshots and chat logs, Botalov told me, and then matching these partially redacted credentials against the Group-IB stealer log archive, totalling 17 billion records in all, that stretches from 2020 to 2025. This was achieved through the use of hashed and fuzzy-matching techniques. The first-seen timestamp for each credential pair was established, in order to pinpoint the earliest potential compromise date, and then cross-referenced with the folder names and directory structures of already known of public combolists and Telegram dumps. Finally, dark-web listings were sought that purported to be selling, or otherwise distributing, the 16 billion passwords dataset. The analysis has confirmed, Botalov said, that the dataset is 'an aggregation of historic stealer‑log data rather than a freshly sourced mega‑breach,' which confirms the thoughts of many security professionals. Key Findings Of The 16 Billion Passwords Leak Analysis The bullet point list of findings from Botalov and the other Group-IB analysts, was as follows: The latest updated CyberNews report, dated June 26, states that 'the data that most likely comes from various infostealers is recent, not merely recycled from old breaches,' while conceding that the 16 billion records count 'includes duplicates, as is common in these types of compilations.' I have approached both CyberNews, and the researcher behind the original leak findings, for a statement regarding the new analysis from Group-IB and Semyon Botalov. As I have said before, while you may not want to change all your account passwords as a result of this leak, new or old, I would certainly recommend it for those credentials that you have reused across multiple services.
Forbes
30-06-2025
- Forbes
Silent Breach Exposes 16 Billion Passwords: 5 Things You Must Do Now
A staggering 16 billion passwords were exposed in a silent, decentralized breach compiled from years ... More of malware activity — an unseen cyber threat now looming over governments and tech giants alike. picture alliance via Getty Images While the cybersecurity world was focused on usual suspects like ransomware gangs, nation-state espionage and zero-day exploits, something massive happened in the background. A credential leak of staggering proportions quietly spilled onto the open internet. No ransom note. No press release. No named corporate victim. Just a silent detonation of more than 16 billion individual records containing usernames and passwords for Apple, Google, Microsoft, Facebook and government accounts across 29 countries. Let that sink in. Sixteen billion login records. The scope of this breach eclipses almost every known hack to date. Yet most people have never heard about it. On June 26 2025, researchers at Cybernews revealed that they had discovered 30 unsecured datasets containing over 16 billion records. These were not theoretical vulnerabilities. These were usernames and passwords that provide real access to real systems. The data included everything from private citizen logins to accounts tied to government domains. Facebook, Telegram, Instagram, PayPal, Discord, Roblox — no platform seemed untouched. The data was formatted exactly as infostealing malware delivers it: a string of website URLs, usernames and passwords scraped from infected machines over time. And it was found online, publicly accessible for a period of time before being locked down. One of the earlier warnings came from cybersecurity researcher Jeremiah Fowler, who in May uncovered 47GB of data with 184 million records, sitting in the open on an Elasticsearch server. The server was hosted by World Host Group, a global web hosting provider. Once alerted, the company disabled access and confirmed the server had been spun up by a fraudulent user. But the damage had already been done. 'This is probably one of the weirdest ones I've found in many years,' Fowler told Wired . 'As far as the risk factor here, this is way bigger than most of the stuff I find, because this is direct access into individual accounts. This is a cybercriminal's dream working list.' It wasn't just tech companies that were implicated. Fowler found 220 government email addresses from more than two dozen countries, including the United States, United Kingdom, Canada, India, Israel and Australia. May 2025 : Fowler discovers 184 million exposed records, including government and enterprise credentials, and immediately notifies the hosting provider. : Fowler discovers 184 million exposed records, including government and enterprise credentials, and immediately notifies the hosting provider. Early June 2025 : World Host Group disables the server. No further public comment or disclosure from affected entities. : World Host Group disables the server. No further public comment or disclosure from affected entities. Mid-June 2025: Cybernews publishes a report about the larger aggregation of 30 databases, revealing the total exposure: 16 billion credentials. Unlike high-profile hacks with clear attribution and corporate response, this breach is fragmented. It is the byproduct of years of careless digital hygiene, cybercriminal harvesting and the steady drip of malware-infected machines feeding stolen credentials into dark web markets. How It Happened: Death By A Thousand Infostealers This was not a hack in the conventional sense. No firewalls were breached. No zero-day vulnerabilities were exploited. Instead, the records were compiled over years using infostealer malware. Infostealer malware is a class of malicious software that silently lifts login credentials from infected devices. Christiaan Beek of Rapid7 noted that the data showed 'a lot of overlap' and was 'a combination of old and new' credentials, adding that the aggregation itself posed a serious threat. 'It reflects around 30 separate breaches, stealer logs compiled over years,' he said. Much of the leaked content appears to come from previously compromised password dumps. But according to Cybernews, the presence of fresh infostealer logs makes this breach 'particularly dangerous for organizations lacking multi-factor authentication or credential hygiene practices.' Why This Leak Hasn't Made Headlines Despite its unprecedented scale, this breach has flown under the radar, unlike the United Natural Foods hack, which triggered widespread headlines. One reason is that no single company was directly compromised. There was no named victim, no regulatory filing and no incident response to point to. The data was quietly compiled over years through malware infections and older breaches, then briefly exposed on an unmanaged server. Without a clear villain or breach notification, traditional media had little to latch onto. They couldn't point to one actor or failure. In truth, we are all to blame. Many of the records were previously stolen which led some to dismiss the incident as old news. But that misses the point. The true threat lies in the scale, the recency and the way this data can now be weaponized by attackers against organizations that have not enforced basic security practices. Further, just because the records were previously stolen, a significant percentage were still active. The Bigger Picture: What We Are Doing Wrong This breach was not about a single company failing. It was about everyone failing. As security analyst Chester Wisniewski of Sophos put it, 'These massive dumps are typically just a recycled pile of credentials with a few new ones sprinkled in.' But even old passwords still work when users reuse them. When organizations fail to enforce password resets. When there is no MFA. And therein lies the danger. Infostealer malware is doing exactly what it was built to do: harvest credentials from unprotected machines. The real problem is how unprepared the world remains to stop it. What Needs To Happen Now This is a five-alarm fire for anyone not practicing basic cybersecurity hygiene. Sixteen billion records are now in circulation. Many are still active. Some are tied to government systems. And nearly all were exposed without any one company triggering the alarm. This should be a wake-up call not just for IT departments, but for every executive and individual who relies on digital tools to function. This is not the time to assume you're safe. This is the time to act. Five Immediate Actions For Individuals: Change your passwords across all platforms: Start with your primary email, banking and social media accounts. If you use the same password in multiple places, change every one of them. Password reuse is the single biggest vulnerability exploited in these kinds of leaks. Use unique passwords for every service: One password per account. No exceptions. This ensures that if one login is compromised, the rest remain safe. Use a password manager if you need help generating or storing them. Enable multi-factor authentication on every account that allows it: MFA is no longer optional. Even a simple text message code can stop an attacker with your password. Wherever possible, use app-based or hardware key MFA for stronger protection. Scan your devices for malware, especially infostealers: This data did not appear out of nowhere. It was harvested from infected machines. If you have not scanned your device recently, or if you have never run anti-malware software, now is the time. Infostealers run silently in the background, siphoning off your credentials without leaving a trace. Monitor account activity for unauthorized access: Watch for unfamiliar logins, password reset attempts, or new devices on your accounts. Most services provide tools to review recent activity. Use them. Set up alerts for suspicious behavior. If anything looks off, change your credentials immediately. Five Immediate Actions For Businesses And IT Leaders: Deploy Endpoint Detection and Response tools: Infostealer malware thrives on unmanaged or poorly protected endpoints. EDR tools allow your security team to detect, isolate and remediate these threats in real time before they cause widespread damage. Enforce password managers and centralized identity platforms: Encourage or even better, mandate the use of enterprise-grade password managers. Combine that with Single Sign-On and identity federation to reduce the number of credentials employees must manage and attackers can steal. Conduct ongoing employee security training: One-time training is not enough. Phishing and credential theft are constantly evolving. Organizations need to build a culture of cybersecurity awareness that reinforces good behavior, simulates attacks and rewards vigilance. Implement real-time credential leak monitoring and dark web scanning: Do not wait for a breach notification. Be proactive. Invest in services that scan known dark web marketplaces and data dumps for your domains, employee emails and customer credentials. When a match is found, move fast to rotate access and contain the risk. Apply Access Controls Based on Risk, Not Convenience: Implement role-based access and least privilege policies. Restrict administrative access to only those who absolutely need it. Too many organizations default to broad permissions, giving attackers more room to move once they are inside. Aligning access with actual job function reduces the blast radius when credentials are compromised. The playbook is not complicated. But it does require discipline and urgency. The organizations that act now will be the ones still standing when the next wave of credential-based attacks begins. Compliance Is the Starting Line, Not the Finish Too many organizations mistake compliance for security. Checking the box on a framework does not stop infostealer malware. But it does give you a baseline. Compliance is the first signal that your organization is taking security seriously. It offers structure, policy and governance. But it must be paired with continuous improvements, proactive monitoring and threat intelligence. Treating compliance as the finish line is like bolting your front door while leaving all the windows wide open. A Sobering Reminder This breach should be a sobering reminder that we are losing the war on credentials. Sixteen billion of them just got dumped onto the internet. Some old. Some new. All dangerous. And the biggest threat may not be the data itself, but how few people noticed. If this breach did not reach your radar, let it serve as a wake-up call. If your organization is still relying on usernames and passwords without MFA or threat monitoring, you are playing defense without a helmet. The calculous has now changed. Cybercriminals are not just breaking in. They are now logging in.
News.com.au
20-06-2025
- News.com.au
16 billion Apple, Facebook, Google passwords exposed in historic data leak: report
A staggering 16 billion passwords to Apple, Facebook, Google, and various US government services have been leaked online, triggering global security alerts in what experts are calling the most significant data breach in history. The mammoth security breach has forced Google to urge billions of users to change their passwords immediately. At the same time, the FBI has issued warnings to Americans about opening suspicious links in SMS messages. Cybersecurity experts at Cybernews, who investigated the breach, discovered a whopping 30 exposed datasets containing between tens of millions and over 3.5 billion records each. Perhaps most alarmingly, researchers confirmed that nearly all these exposed datasets contain previously unreported information, making this an entirely fresh security crisis. 'This is not just a leak – it's a blueprint for mass exploitation,' the researchers said via Forbes this week. The leaked information mainly consists of URLs paired with login credentials and passwords, potentially giving hackers access to 'pretty much any online service imaginable, from Apple, Facebook, and Google, to GitHub, Telegram, and various government services.' The datasets appeared online only briefly – long enough to be discovered but too quickly for researchers to identify who controlled the data. 'These aren't just old breaches being recycled,' researchers said. 'This is fresh, weaponisable intelligence at scale.' Cybernews investigators believe the breach is the work of multiple 'infostealers' – malicious programs designed to harvest credentials from infected devices. While the total number of affected people is unclear, security experts are strongly advising the public to take immediate precautions. Users are being urged to invest in password management solutions, never share passwords across multiple platforms, and remain vigilant for signs their accounts may have been compromised. Investigators also warn this breach could fuel phishing attacks and account takeovers in the coming months.
Forbes
19-06-2025
- Forbes
16 Billion Apple, Facebook, Google And Other Passwords Leaked — Act Now
The biggest password leak in history confirmed. getty Update, June 19, 2025: This story, originally published on June 18, has been updated with comments from the founders of Keeper Security regarding the 16 billion leaked passwords and other login credentials across the major tech vendor landscape. If you thought that my May 23 report, confirming the leak of login data totaling an astonishing 184 million compromised credentials, was frightening, I hope you are sitting down now. Researchers have just confirmed what is also certainly the largest data breach ever, with an almost incredulous 16 billion login credentials, including passwords, exposed. As part of an ongoing investigation that started at the beginning of the year, the researchers have postulated that the massive password leak is the work of multiple infostealers. Here's what you need to know and do. Password compromise is no joke; it leads to account compromise and that leads to, well, the compromise of most everything you hold dear in this technological-centric world we live in. It's why Google is telling billions of users to replace their passwords with much secure passkeys. It's why the FBI is warning people not to click on links in SMS messages. It's why stolen passwords are up for sale, in their millions, on the dark web to anyone with the very little amount of cash required to purchase them. And it's why this latest revelation is, frankly, so darn concerning for everyone. According to Vilius Petkauskas at Cybernews, whose researchers have been investigating the leakage since the start of the year, '30 exposed datasets containing from tens of millions to over 3.5 billion records each,' have been discovered. In total, Petkauskas has confirmed, the number of compromised records has now hit 16 billion. Let that sink in for a bit. These collections of login credentials, these databases stuffed full of compromised passwords, comprise what is thought to be the largest such leak in history. The 16 billion strong leak, housed in a number ion supermassive datasets, includes billions of login credentials from social media, VPNs, developer portals and user accounts for all the major vendors. Remarkably, I am told that none of these datasets have been reported as leaked previously, this is all new data. Well, almost none: the 184 million password database I mentioned at the start of the article is the only exception. 'This is not just a leak – it's a blueprint for mass exploitation,' the researchers said. And they are right. These credentials are ground zero for phishing attacks and account takeover. 'These aren't just old breaches being recycled,' they warned, 'this is fresh, weaponizable intelligence at scale.' Most of that intelligence was structured in the format of a URL, followed by login details and a password. The information contained, the researchers stated, open the door to 'pretty much any online service imaginable, from Apple, Facebook, and Google, to GitHub, Telegram, and various government services.' Not all password databases are tye result of compromise and infostealer malware, such as is the case with the 16 billion megadump here. Darren Guccione, the CEO and co-founder of Keeper Security, a privileged access management platform, told me that this GOAT passwords leak was an apt reminder of 'just how easy it is for sensitive data to be unintentionally exposed online.' And Guccione certainly isn't wrong, far from it in fact. This could be just the tip of the biggest security iceberg waiting to crash into the online world. I mean, just imagine how many exposed credentials, including passwords, are sitting there in the cloud, or more to the point in misconfigured cloud environments, waiting for some to find them. If we are lucky, that someone will be a security researcher who responsibly discloses the exposure to the owner or host; if not, then it will be a malicious actor. Who would you put your money on? 'The fact that the credentials in question are of high value for widely used services carries with it far-reaching implications,' Guccione said, which is why it is more important than ever for consumers to invest in password management solutions and dark web monitoring tools. The latter can help by alerting users when their passwords have been exposed online, hopefully enabling them to take direct action and update their account logins if the password has been reused across services. Organizations, however, do not escape the necessity of investment either. They should be looking at adopting zero-trust security models that provide privileged access controls to 'limit risk by ensuring access to sensitive systems is always authenticated, authorized and logged,' Guccione concluded, 'regardless of where the data lives.' Ultimately, this reinforces that cybersecurity is not just a technical challenge but a shared responsibility. 'Organisations need to do their part in protecting users,' Javvad Malik, lead security awareness advocate at KnowBe4, said, 'and people need to remain vigilant and mindful of any attempts to steal login credentials. Choose strong and unique passwords, and implement multi factor authentication wherever possible." To which I would add: change your account passwords, use a password manager and switch to passkeys wherever possible. Now is the time to take this seriously, don't wait until your passwords show up in these ongoing leak datasets – get on top of your password security right now.
CNET
29-05-2025
- Business
- CNET
184 Million Passwords Leaked for Google, Facebook, Instagram and More. How to Protect Your Accounts
You might have seen the news of a database leak containing 184 million passwords tied to accounts from Microsoft, Google, Facebook, Instagram, Roblox and other organizations. The report by cybersecurity researcher Jeremiah Fowler on Website Planet says login credentials for bank and financial accounts, health platforms and government portals from numerous countries were also exposed. The data was left unprotected by an unknown database owner and then accessed by cybercriminals via infostealer malware. Although the database has been removed from public access, the damage is seemingly done. So what should you do if you think any of your login credential data was compromised? A percentage of the login credentials in the 47.42GB file are likely outdated. But some passwords and usernames may still be active. In fact, Fowler wrote in his post that he emailed multiple people whose information was in the database and they confirmed the emails and passwords were still in use. How can I protect myself from this data leak? If you think you were impacted by the bad actors who accessed this database, here are a few steps you should take as soon as possible to limit the potential damage. Change your password It's good to get in the habit of changing your passwords regularly. Your new passwords should be unique from other accounts. This thwarts a cybercriminal's ability to take over several of your accounts by using the same exposed login credentials. Keep in mind that the longer the password is the better, because it'll make it harder for bad actors to crack. Start with account passwords we know may have been impacted in this data leak like, Instagram, Facebook, Google or Roblox. From there you can update other passwords to sensitive accounts you haven't updated in the past year. Consider a password manager If keeping track of all your different passwords is too cumbersome, you can sign up for a password manager. CNET recommends Bitwarden. Password managers create unique passwords for every online account you create and will scan the dark web for any compromised passwords. They even guard against phishing attacks by not autofilling passwords on suspicious websites. Turn on two-factor authentication You should turn on two-factor authentication for every online account you have. When a bad actor attempts to log into your account, you will receive a text message or email with a code to verify it's you logging in from a new device. Be aware of phishing attacks Cybercriminals will use stolen data to target potential victims via phishing attacks. These can occur over phone, text, email and even direct messages on social media. Do not click on any suspicious links, download files or scan QR codes from unknown sources. You can't stop your data from being compromised in a leak or breach, but identity theft protection can monitor your information on the dark web and alert you if something is awry. Aura Aura CNET's best overall identity theft protection service Protect your personal data and get peace of mind with CNET's top pick for identity theft software.
