Cybernews contributor and well-known researcher Bob Diachenko was sweeping the internet for exposed cloud instances when he stumbled onto a cluster of Elasticsearch and object‑storage buckets that hadn’t been locked down. Inside were 30 separate datasets—some as small as 16 million records, one as large as 3.5 billion—that together added up to 16 billion login pairs. The team verified the trove on June 19, 2025, and published initial findings the same day, dubbing it the biggest discovery since last year’s 26‑billion‑record MOAB leak.

Which services are affected?

Because the data was scraped from “infostealer” malware logs and credential‑stuffing collections, it touches almost every popular platform that uses a standard web login form, including:

• Apple (Apple ID / iCloud)

• Google (Gmail, YouTube, Workspace)

• Meta properties (Facebook, Instagram)

• GitHub and other developer portals

• Telegram

• A long tail of VPNs, e‑commerce shops, corporate SaaS tools and even some national and municipal government sites

Importantly, investigators stress there was no single hack of those companies’ servers; the credentials were siphoned from users’ own infected devices or recycled from past breaches, then aggregated in one gigantic, newly exposed cache.

The true magnitude

Sixteen billion username‑and‑password combos works out to roughly two accounts for every person on Earth. Overlap is inevitable, but researchers say most of the records are recent and “weaponisable,” often bundled with cookies and session tokens that can bypass two‑factor protections.

What exactly was leaked?

Typical record format:

https://service.com : [email protected] : P@ssw0rd!

Many logs also include:

• Device fingerprints

• Browser cookies / session tokens

• IP addresses and geolocation hints

That mix enables everything from low‑skill phishing to high‑impact business‑email‑compromise attacks, especially against users who reuse passwords or lack MFA.

What should users do now?

• Scan for malware first. If an infostealer is still on your device, any new passwords you create will be stolen again.

• Change passwords on your primary accounts immediately—email, cloud storage, banking, social media—then work outward. Given the breadth of services represented, assume any reused password is compromised.

• Use a password manager to generate unique, 20‑plus‑character passphrases for every site.

• Enable app‑based or hardware‑key two‑factor authentication (2FA) on all accounts that support it. Avoid SMS codes where possible.

• Monitor for suspicious logins and check services like Have I Been Pwned or Cybernews’ leak checker as they ingest the new data.

Do you need to reset every single password?

If you already follow best practices—unique password + 2FA per site—you can prioritise high‑value accounts. If you’ve reused any credential even once, this is the moment to rotate all of them. Better a long weekend of resets than months of account recovery hell.

Bottom line: This “mother of all” breach isn’t a new corporate hack, but its scale makes it the most dangerous credential compilation yet. Good hygiene—strong, unique passwords and robust 2FA—remains the best vaccine against the fallout.