On June 22, 2025, new details emerged on how Apple, Facebook and Google users can upgrade from passwords to passkeys for better security. Cybersecurity experts have also clarified the scale and authenticity of the leaked data, as well as which services are affected.
News is still developing and will be updated as more facts come in.
Earlier reports from May revealed 184 million stolen credentials, which was already alarming. Now, researchers have discovered a leak of nearly 16 billion password details. This investigation has been underway for months and points to multiple infostealer groups as the source. Here’s what users need to know.
Confirmation of the Largest Credential Leak
The exposure of passwords leads directly to account takeovers and can put personal and business data at risk. This is why Google now urges billions to move to passkeys and why the FBI warns people not to click on suspicious links in messages.
Stolen passwords are traded in vast quantities on the dark web, and the latest findings raise new concerns for everyone online.
Vilius Petkauskas from Cybernews confirmed to Forbes that researchers have found 30 datasets in total, each with tens of millions to over 3.5 billion records. Together, these reach a total of 16 billion compromised credentials—the largest confirmed leak so far.
Cybersecurity professionals say that both intelligence agencies and hackers collect and use these credentials, sometimes repackaging and reselling them. While some debate whether this data includes old breaches, researchers are confident that most of it is new.
Each database contains login details for a range of services, from social platforms and VPNs to developer portals and government sites. The only previously reported data set is the 184 million mentioned earlier.
This leak is seen as a blueprint for cybercriminals, providing fresh information for phishing attempts and account takeovers. Researchers warn that most of these credentials are new and can be used by criminals on a massive scale.
Structure of the Exposed Data
Most leaked records are formatted as website URLs, usernames, and passwords. The information affects popular services, such as Apple, Facebook, Google, GitHub, Telegram, and government platforms.
Security researcher Bob Diachenko confirmed that none of the major companies, like Apple, Facebook, or Google, suffered direct breaches. Instead, the exposed credentials appear in logs from infostealer malware targeting these login pages.
While some reports have suggested otherwise, this incident does not stem from a single company’s breach. The risk remains high for anyone using reused credentials across different accounts.
Aras Nazarovas, a Cybernews researcher, noted a shift in how cybercriminals distribute stolen data. Rather than using chat groups, attackers now favour centralized databases, making it easier for large volumes of credentials to be shared or sold.
Strong Password Management Matters
Many leaks come not from hacking alone, but from mistakes that leave sensitive data unprotected online. Darren Guccione, CEO of Keeper Security, points out that this leak shows how easy it is for credentials to be exposed. Likely, many more databases are sitting unsecured in the cloud, waiting to be discovered.
Guccione stresses that credentials for widely used services carry serious risks. He suggests that individuals use password managers and dark web monitoring to get alerts if their details are exposed. This gives people a chance to act quickly and change passwords, especially if they’re reusing them.
Organizations also need to improve security by adopting zero-trust principles and strict access controls. This means always checking identities before allowing access to sensitive data, no matter where it’s stored.
Evan Dornbush, a former NSA cybersecurity expert and CEO of Desired Effect, emphasizes that even the strongest password is useless if the database storing it is stolen. That’s why it’s critical never to reuse passwords and to keep unique logins for every account.
George McGregor from Approov calls these leaks the first domino, leading to a chain reaction of cyberattacks. He says the research only highlights how easily hackers can obtain user identities.
Cybersecurity Requires Everyone’s Attention
There is debate over who is responsible for online safety. Javvad Malik from KnowBe4 says both organizations and users must play their part. He recommends choosing strong, unique passwords and enabling two-factor authentication whenever possible.
However, Paul Walsh, CEO of MetaCert, argues that blaming users is unfair. He believes the burden should fall on security providers to protect customers, as expecting everyone to spot every threat is unrealistic. Walsh’s company is developing systems to verify URLs and reduce phishing.
Time to Move from Passwords to Passkeys
If you use the same password on more than one site, it’s time to make changes. Consider using a password manager and, wherever possible, switch to passkeys.
Rew Islam, a security expert at Dashlane and FIDO Alliance co-chair, notes that passkeys are becoming more common. Facebook is now adopting them, following others in the industry. Islam says that as more companies offer passkeys, more users will move away from traditional passwords.
For those ready to switch, Apple, Facebook and Google all offer guides on moving from passwords to passkeys:
Islam admits there may be some hesitation, but most people are open to using face or fingerprint recognition instead of passwords. With more businesses joining in, passkeys are set to become the standard in the coming years.
Related Post
