Go change your passwords; 16bn login records were just exposed

Millions of internet users have been urged to update their passwords following the discovery of a vast cache of potentially compromised login credentials. Researchers at Cybernews revealed that over 16 billion login records have been exposed online, sparking fresh concerns over digital security and identity theft.

The trove of credentials — collected from malware known as "infostealers" and past data breaches — was temporarily accessible via poorly secured remote servers. Although many of the records are thought to be duplicates, the sheer volume has alarmed cybersecurity specialists.

The leaked credentials could potentially grant unauthorised access to accounts on platforms such as Facebook, Apple, and Google. However, there is no evidence of a direct breach at these companies. A spokesperson for Google confirmed that the data did not originate from a breach of its systems and encouraged users to enable password managers and two-factor authentication.

Bob Diachenko, the independent cybersecurity analyst who led the research, said the data appeared online for only a short period before being removed. He is working to alert individuals and organisations whose information may have been exposed. According to Diachenko, the majority of the records — around 85% — originated from infostealer logs, with the rest traced back to previous leaks including the LinkedIn breach.

While experts have cautioned that much of the data may already have been circulating among cybercriminals, they say the discovery underscores the importance of good security hygiene. Recommendations include using complex, unique passwords, enabling multifactor authentication, and employing passkeys where possible.

Users can check if their email addresses have been compromised by visiting haveibeenpwned.com, a free online tool for verifying data breaches.

Cybernews described the leaked datasets as a "blueprint for mass exploitation", warning that they could be used for identity theft, phishing, and account takeovers. Although the datasets have since been taken down, the brief exposure highlights the scale of sensitive information circulating online — and the ease with which it can fall into the wrong hands.