A record 16 billion passwords have been exposed in a massive data breach uncovered by cybersecurity researchers working with Cybernews, according to Vilius Petkauskas.
These credentials weren’t recycled from old hacks or reposted from public breaches. They’re new, undocumented, and highly dangerous.
Petkauskas and his team confirmed they’ve spent months digging through the mess, identifying 30 different datasets, each containing tens of millions to 3.5 billion records.
Researchers link data breach to global platforms and fresh hacks
Every one of those files contains real user login credentials—email addresses, usernames, and passwords—ready to be exploited. The scale is beyond anything seen before. Petkauskas called it the largest ever confirmed dump of stolen access data.
Most of the leaked material had never been seen publicly. Only one exception exists: a 184 million-password database that had already made its rounds online. Everything else? Completely new. And not random garbage either.
The data is structured—clean rows showing the platform’s URL, followed by usernames and passwords. It’s a hacker’s dream because it can be plugged into automated attack tools without any tweaking. That’s why researchers warned that this isn’t just another leak. This is what mass account takeovers are built on.
The exposed credentials give access to major platforms like Apple, Google, Facebook, GitHub, Telegram, and even some government portals. The danger here isn’t just scale—it’s quality. These aren’t expired, irrelevant logins. The data points to live accounts, many still in use. Petkauskas and his team said the leak could lead to large-scale phishing campaigns, credential stuffing attacks, and direct account hijacks across every major tech ecosystem.
The researcher saw how the credentials were structured, stored, and bundled. The uniform formatting and lack of prior exposure suggest these weren’t collected passively. They were scraped or exfiltrated using active tools—most likely infostealer malware—and gathered into datasets optimized for sale or deployment.
Some datasets included developer portal logins, VPN accounts, and enterprise credentials, giving attackers the keys to both personal and corporate systems.
Darren Guccione, co-founder and CEO of Keeper Security, said this “GOAT passwords leak” shows how often companies unintentionally leave sensitive data out in the open. Guccione said misconfigured cloud setups are still a massive vulnerability. In some cases, credentials are dumped into cloud buckets without any access controls. “This could be just the tip of the biggest security iceberg waiting to crash into the online world,” Darren said.
Massive organizations with decentralized teams keep making the same mistakes: pushing data to shared drives, leaving logs unprotected, and using basic passwords across systems. That’s how you end up with billions of records floating around. Darren said, “The fact that the credentials in question are of high value for widely used services carries with it far-reaching implications.”
