The 16-Billion-Record Data Breach That No One's Ever Heard of (cybernews.com) 16
An anonymous reader quotes a report from Cybernews: Several collections of login credentials reveal one of the largest data breaches in history, totaling a humongous 16 billion exposed login credentials. The data most likely originates from various infostealers. Unnecessarily compiling sensitive information can be as damaging as actively trying to steal it. For example, the Cybernews research team discovered a plethora of supermassive datasets, housing billions upon billions of login credentials. From social media and corporate platforms to VPNs and developer portals, no stone was left unturned.
Our team has been closely monitoring the web since the beginning of the year. So far, they've discovered 30 exposed datasets containing from tens of millions to over 3.5 billion records each. In total, the researchers uncovered an unimaginable 16 billion records. None of the exposed datasets were reported previously, bar one: in late May, Wired magazine reported a security researcher discovering a "mysterious database" with 184 million records. It barely scratches the top 20 of what the team discovered. Most worryingly, researchers claim new massive datasets emerge every few weeks, signaling how prevalent infostealer malware truly is.
"This is not just a leak -- it's a blueprint for mass exploitation. With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing. What's especially concerning is the structure and recency of these datasets -- these aren't just old breaches being recycled. This is fresh, weaponizable intelligence at scale," researchers said. The only silver lining here is that all of the datasets were exposed only briefly: long enough for researchers to uncover them, but not long enough to find who was controlling vast amounts of data. Most of the datasets were temporarily accessible through unsecured Elasticsearch or object storage instances. Key details to be aware of: - The records include billions of login credentials, often structured as URL, login, and password.
- The datasets include both old and recent breaches, many with cookies, tokens, and metadata, making them especially dangerous for organizations without multi-factor authentication or strong credential practices.
- Exposed services span major platforms like Apple, Google, Facebook, Telegram, GitHub, and even government services.
- The largest dataset alone includes 3.5 billion records, while one associated with the Russian Federation has over 455 million; many dataset names suggest links to malware or specific regions.
- Ownership of the leaked data is unclear, but its potential for phishing, identity theft, and ransomware is severe -- especially since even a - Basic cyber hygiene -- such as regularly updating strong passwords and scanning for malware -- is currently the best line of defense for users.
Our team has been closely monitoring the web since the beginning of the year. So far, they've discovered 30 exposed datasets containing from tens of millions to over 3.5 billion records each. In total, the researchers uncovered an unimaginable 16 billion records. None of the exposed datasets were reported previously, bar one: in late May, Wired magazine reported a security researcher discovering a "mysterious database" with 184 million records. It barely scratches the top 20 of what the team discovered. Most worryingly, researchers claim new massive datasets emerge every few weeks, signaling how prevalent infostealer malware truly is.
"This is not just a leak -- it's a blueprint for mass exploitation. With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing. What's especially concerning is the structure and recency of these datasets -- these aren't just old breaches being recycled. This is fresh, weaponizable intelligence at scale," researchers said. The only silver lining here is that all of the datasets were exposed only briefly: long enough for researchers to uncover them, but not long enough to find who was controlling vast amounts of data. Most of the datasets were temporarily accessible through unsecured Elasticsearch or object storage instances. Key details to be aware of: - The records include billions of login credentials, often structured as URL, login, and password.
- The datasets include both old and recent breaches, many with cookies, tokens, and metadata, making them especially dangerous for organizations without multi-factor authentication or strong credential practices.
- Exposed services span major platforms like Apple, Google, Facebook, Telegram, GitHub, and even government services.
- The largest dataset alone includes 3.5 billion records, while one associated with the Russian Federation has over 455 million; many dataset names suggest links to malware or specific regions.
- Ownership of the leaked data is unclear, but its potential for phishing, identity theft, and ransomware is severe -- especially since even a - Basic cyber hygiene -- such as regularly updating strong passwords and scanning for malware -- is currently the best line of defense for users.
Look up (Score:2)
Is there an online tool to search for my username/log in?
I'd like to know if I'm in the dataset.
Re:Look up (Score:5, Informative)
https://haveibeenpwned.com/ [haveibeenpwned.com]
Solution (Score:1)
ie make it $100 per "victim" to be paid out, and the directors also help personally liable for $$ OR with 10 years prison.
Suddenly much less data will be collected, currently its no risk, no care taken.
Re: (Score:3)
I was waiting for somebody to say something like this.
The problem with this approach is that there is NO perfect solution. You can do *everything* right and still get hacked. Penalizing people for being robbed, won't stop people from being robbed.
Instead, how about lock up the criminals who break in to systems. That won't stop it either, but it's at least punishing the criminal, instead of the victim.
Re: (Score:2)
Why the hell do I need to "register" and use their "App" for home appliances that do NOT need internet access eh hot air friers, dryers, washing machines.
ALL I want to do when I buy something is to chose it, pay for it, and have it shipped, they do NOT need to know my email address, date of birth, etc etc etc, they do NOT need to "Store" my credit card number for
Re: (Score:2)
If you don't want businesses to have all that information about you, why do you give it to them? I certainly don't.
Did you know that you don't have to register that new appliance? The warranty is still in effect even if you don't. Just keep the purchase receipt. There are still plenty of appliances of all types, that don't require an app or registration. If you *really* want to stay anonymous, shop at resale shops, pay cash. You can find all those things at second-hand or thrift stores.
If you *do* choose to
Re: (Score:2)
As I say, we need to push hard for data minimisation, not maximisation and the ONLY way that will happen is when it presents financial risk.
And yes, I do all of those things, but MOST people don't and with data sharing etc they can effectively track you anyway.
And many appliances with IOT capabilities do NOT give you full functionality unless they can phone home and share data.
Re: (Score:2)
Most people don't do those things because they really don't value privacy. Need proof? Facebook is now charging $10 per month for privacy in some countries. https://www.wired.com/story/me... [wired.com] There aren't any hard numbers yet, but I doubt many will pay.
As soon as you put a price on privacy, people will generally opt for the free, nonprivate version.
While this is an interesting conversation, it doesn't change the original premise that one should not punish victims (companies that are breached by hackers).
Even some government services (Score:3)
Exposed services span major platforms like Apple, Google, Facebook, Telegram, GitHub, and even government services.
Luckily, here in the U.S. DOGE has consolidated copies of all our government data from the various independent agencies into one place - oh, wait ...
Aliens? (Score:2)
There are about 8 billion people on earth. Those other 8 billion records belong to...aliens?
no Aliens needed (Score:2)
There are about 8 billion people on earth. Those other 8 billion records belong to...aliens?
If you're using the same login/password everywhere, you're part of the problem.
If people have 8 different ones, then only 2 billion people are needed.
Re: (Score:2)
Wait, I wasn't supposed to use 123456? Now I'm going to have to change the password on my luggage!
Re: (Score:2)
Re: (Score:2)
I doubt it's actually 16 billion distinct accounts. The information is likely *full* of redundancy.
Re: (Score:1)