16 Billion+ Credential Combinations Compiled in "New" Leaked Dataset

[Lurick]

Summary

Around 16 billion login credential combinations have been essentially recompiled into a much easier to use format commonly associated with infostealer malware. Not a new breach but just makes attacks on past exposures much easier to use

 

Quotes

Forbes:

Quote

According to Vilius Petkauskas at Cybernews, whose researchers have been investigating the leakage since the start of the year, “30 exposed datasets containing from tens of millions to over 3.5 billion records each,” have been discovered. In total, Petkauskas has confirmed, the number of compromised records has now hit 16 billion.

Bleeping Computer:

Quote

News broke today of a "mother of all breaches," sparking wide media coverage filled with warnings and fear-mongering. However, it appears to be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks.

To be clear, this is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials.

 

My thoughts

That's definitely a fair number of combinations but it appears most of these are not new but just reformatted into easier to exploit formats. It's still a good idea to remind everyone if you use shorter or less complex passwords on popular sites it might be a good idea to change passwords and ensure you have MFA enabled on all the places that support it too.

 

Sources

https://www.bleepingcomputer.com/news/security/no-the-16-billion-credentials-leak-is-not-a-new-data-breach/

https://www.forbes.com/sites/daveywinder/2025/06/19/16-billion-apple-facebook-google-passwords-leaked---change-yours-now/

https://cybernews.com/security/billions-credentials-exposed-infostealers-data-leak/

 

[TetraSky]

So it's just a collection of existing breaches... Nothing to see here, move along.

 

But really, it just highlights the importance of having a password manager for unique identifier and/or passwords. If one leaks, nothing else is affected.

Bonus point if you don't put real answers in those stupid "security questions" some websites ask. Keep the fake answers in your password manager.

[OhioYJ]

3 hours ago, TetraSky said:

Bonus point if you don't put real answers in those stupid "security questions" some websites ask. 

This for sure. Don't forget birthdates too.  Plus you'll get told happy birthday throughout the year at random times. 

[kirashi]

On 6/20/2025 at 7:31 AM, OhioYJ said:

This for sure. Don't forget birthdates too.  Plus you'll get told happy birthday throughout the year at random times. 

The only problem with using fake identification information (name, date of birth, address, phone number, etc.) is that you'll lose access to the account the moment the service decides your account needs identity verification for whatever reason. If the account is to your Club Penguin account (RIP), no big deal. But if the account is the same one you use to manage your business's Facebook Page(s), welp, goodbye business pages forever.

 

For the record, I don't like giving out more personal information than necessary, but I also think about why a service might need this information before I decide if faking the information is a risk I can live with. Lots of people I know don't even think about this, only to later demand that I help them "hack into their account" when they eventually get locked out and don't know any of the information they used to originally sign up.