In one of the largest credential leaks in internet history, over 16 billion usernames, passwords, and session tokens have been exposed online. The data was not the result of a single high-profile breach, but rather the outcome of infostealer malware infections across millions of individual devices. Security researchers at Cybernews uncovered 30 separate data dumps, collectively holding login information tied to platforms such as Google, Apple, Microsoft, Netflix, PayPal, and even government portals.
These credentials weren’t harvested from the companies themselves. Instead, attackers relied on malware to infect user devices and extract browser-stored passwords, autofill data, session cookies, clipboard contents, and other sensitive information. The malware then silently uploaded this data to attacker-controlled servers, eventually making its way to the dark web and leak forums. Because of this method, victims may have never realized their device was compromised.
The types of information exposed include email and password combinations, social logins like Google and Facebook, session tokens that can bypass multi-factor authentication, and cookies that can allow attackers to impersonate users. Even strong passwords and 2FA may not be enough if your device was infected and your session information was stolen.
If you want to stay secure, there are a few steps you should take immediately. First, change your most important passwords—especially those tied to your email accounts, banking platforms, work accounts, and cloud identity services like your Apple ID or Google login. Use long, complex, and unique passwords for each. Second, enable two-factor authentication wherever possible, preferably using authenticator apps or hardware security keys instead of SMS-based methods. Third, if the platforms you use support it, switch to passkeys. They are a phishing-resistant, passwordless login method that offers a strong layer of protection. Fourth, run a full malware and antivirus scan on your devices. Infostealer malware often runs in the background without any signs of infection, so it’s important to do a full cleanup. Finally, check whether your credentials have been compromised using services like Have I Been Pwned, and consider enabling dark web monitoring from your antivirus or identity protection provider.
While the scale of this leak is unprecedented, individuals are not powerless. With good security hygiene—up-to-date antivirus, strong passwords, 2FA, and new authentication tools like passkeys—users can significantly reduce their risk of account takeovers and identity theft. Even if you haven’t seen any suspicious activity, it’s better to act now than wait for something to go wrong.
