Massive Password Leak Hits 16 Billion Accounts — What You Should Know and Do Now
This article, first published on June 18, now includes steps for switching to passkeys—a safer alternative to passwords—for Apple, Facebook, and Google users. It also features fresh insights from cybersecurity experts about this major leak.
If the 184 million login credentials leak reported in May surprised you, this latest update is even more alarming. Researchers have now confirmed what may be the biggest password leak in history—hackers have exposed 16 billion login details online.
Several malware programs, known as infostealers, likely caused this massive data breach by silently collecting personal login data from infected devices. Researchers have been following this breach since the beginning of 2025 and have now located 30 sizeable datasets that contain hundreds of millions to over 3.5 billions records.
Why the 16 Billion Password Leak Is a Critical Issue?
Passwords are often the primary (and only) line of defence against hackers. Attackers can easily access your email, social media, bank accounts, and even government services when they find exposed credentials. This breach affects a wide range of platforms—including Apple, Google, Facebook, GitHub, Telegram, and more.
Security experts warn that cybercriminals can easily use this data because it’s mostly fresh, not reused from old leaks. The hackers structured the stolen information to include the website address, login, and password, which makes it extremely easy to exploit.
What Makes the 16 Billion Credential Leak So Dangerous?
Experts say this isn’t just a regular leak—it’s a toolkit for criminals. Hackers and even nation-state actors often sell these leaked credentials on the dark web and use them for phishing, identity theft, or hijacking accounts.
Lawrence Pingree, a cybersecurity leader, said that while it’s not always easy to tell if these are new or repackaged leaks, the scale—16 billion records—makes it clear this data is dangerous. The research team at Cybernews also confirmed that most of these records are newly leaked.
What Can You Do?
Security specialists recommend three key steps:
- Switch to Passkeys – Passkeys are a newer, safer alternative to passwords. Apple, Facebook, and Google now offer passkey options that work with fingerprint or face recognition. Making them harder for hackers to steal.
- Use a Password Manager – Password management tools like Dashlane or Keeper allow you to store strong and unique passwords for each account, and allow you to receive alerts if your passwords have been included in a data leak for example.
- Turn on Two-Factor Authentication (2FA) -Two-factor authentication adds a second layer of security by asking you to enter a code sent to your mobile phone when you log in.
Why Organizations Need to Do Better Too
Users are not the only party responsible for changing practices. Organizations also need to improve practices to secure data for example by moving to a zero-trust security model that limits access and tracks access to sensitive data.
Experts that study cybersecurity pointed also oftentimes misconfigured cloud systems lead to accidental data leaks.
Industry Reactions
Some experts believe the focus on teaching users better security habits isn’t working. Paul Walsh, CEO of MetaCert, says that the idea of shared responsibility is misleading. He argues that if even security companies can’t detect threats effectively, everyday users shouldn’t be blamed for falling for phishing attacks.
Others believe passkeys are the future. Rew Islam from Dashlane, who also leads the FIDO Alliance, said many companies are now adopting passkeys, and more will follow soon—especially in light of the recent leak exposing 16 billion credentials. Facebook recently joined the collective effort to make it easier for users to ditch passwords and switch to more secure login options.
