Every day, hundreds of millions of usernames and passwords float unseen across the internet, waiting for someone, or something, to scoop them up. Recent research from Cybernews shines a harsh light on just how vast that pool has grown: some 16 billion login records were briefly exposed online, ripe for cybercriminals to grab.
Infostealers, the malware programs designed to silently harvest credentials from infected devices, have done much of the heavy lifting. According to Bob Diachenko, the Ukrainian cybersecurity specialist who unearthed the data, most of what he found “about 85 percent” came directly from those sneaky tools. The remaining 15 percent? Historical breaches like LinkedIn’s leak, resurfaced and lumped in with fresh hauls.
The datasets didn’t sit openly for long. Poorly secured on remote servers, they were up only “briefly,” as Diachenko puts it, before being yanked offline. Yet that window was enough: he managed to download the troves, then started the painstaking work of identifying affected individuals and organizations. He plans to reach out to those whose accounts were compromised, but with billions of records, it won’t be quick.
“It will take some time, of course, because it is an enormous amount of data,” he admits.
Still, some experts caution there may be even less here than it seems. An anonymous researcher told Cybernews that overlaps (duplicate entries across datasets) could inflate the headline figure. In other words, while 16 billion sounds catastrophic, the real number of unique accounts at risk is probably lower.
And it’s not as if Facebook, Apple or Google suffered a direct breach. The exposed logs simply contained URLs pointing to their login pages, along with stolen credentials. Meta and Apple have been contacted; Google stresses there was no breach on their end and urges users to rely on built-in tools like Google Password Manager.
Tools such as haveibeenpwned.com still offer an easy way to check your email against known leaks. If your address shows up, you know it’s time to change passwords again.
Why bother? Because these infostealer logs pack a neat structure: URL, username, password. For a cybercriminal, that’s a ready-made blueprint for account takeover, identity theft or spear-phishing campaigns. Even if most of these credentials are recycled or already circulating among bad actors, the sheer volume underscores the raw scale of data out there.
“While you’d be right to be startled at the huge volume of data exposed in this leak, it’s important to note that there is no new threat here,” says Peter Mackenzie of Sophos. “This data will have already likely been in circulation. What we’re understanding is the depth of information available to cybercriminals.”
Depth indeed. Malicious actors scour forums and dark-web markets, swapping and repackaging old breaches alongside fresh infostealer dumps. Having millions of possible passwords at your fingertips changes the game: credential-stuffing attacks become trivial.
Tougher security measures aren’t just nice-to-have, they’re essential. Multifactor authentication (MFA), the simplest upgrade, pairs your password with a second form of verification, often a code sent to your phone. Beyond that, passkeys (password-free logins backed by cryptographic tokens) are gaining traction thanks to support from Google and Meta. For now, most people rely on password managers to generate and store strong, unique passwords for each account.
“It is an important reminder to everyone to take proactive steps to update passwords, use a password manager and employ multifactor authentication,” Mackenzie adds.
Toby Lewis, who oversees threat analysis at Darktrace, points out that infostealers don’t actually hijack your account directly. They scrape cookies and browser metadata, collecting what’s already there. If you’re diligent, watching for unusual login alerts, using a password manager, and keeping MFA on, you reduce the risks dramatically.
Still. A sobering thought: all data is eventually breached. Alan Woodward, a cybersecurity professor at Surrey University, calls this a perfect moment for a “password spring cleaning.” Go through your digital accounts. Change weak or duplicate passwords. Turn on MFA everywhere possible. Delete old accounts you no longer use.
Because when the next infostealer harvest appears, and it will, your best defense is a habit of strong, unique passwords and layered authentication. No single measure is foolproof. But together, they make the cybercriminal’s job a whole lot harder.
Discover more from Aree Blog
Subscribe now to keep reading and get access to the full archive.
