Researchers say they’ve uncovered one of the largest data leaks in history that involves many popular platforms.
The leak includes nearly 16 billion login credentials that could give cybercriminals access to social media and business platforms such as Apple, Gmail, Telegram, Facebook, GitHub, and more, researchers at Cybernews said this week.
Bad actors now have “unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing,” the researchers said.
The number of exposed people or accounts is unknown. The researchers said the data likely comes from malicious software known as infostealers.
“What’s especially concerning is the structure and recency of these datasets — these aren’t just old breaches being recycled. This is fresh, weaponizable intelligence at scale,” the researchers said.
Cybernews said researchers uncovered the leak when the datasets were exposed for a short period of time.
It follows the May discovery of a database containing more than 184 million credentials, including Apple, Facebook, and Google logins, Wired earlier reported.
If you’re nervous that your logins are at risk, there are steps you can take to make your account safer.
How to protect yourself
You can’t unring the bell of an information leak. However, you can take steps to identify if your credentials have been involved in any data breaches and protect yourself in the future.
You can check sites like Have I Been Pwned to see if your email has appeared in a data breach.
Turning on two-step authentication for your accounts can also help protect them from unauthorized access.
Platforms also offer resources to help users secure their accounts.
Google encourages users to use protections that don’t require a password, like a passkey. It’s one of the tech giants, along with Apple, Amazon, and Microsoft, that have been working to move users away from passwords to help secure their accounts.
For those who prefer to stick with passwords, Google’s password manager can store login credentials and notify users if they appear in a breach, a spokesperson told Business Insider.
There’s also Google’s dark web report, a free tool that tracks whether personal information is floating around in online databases.
GitHub, an online coding platform, offers developers a guide on how to implement safety measures in their organizations. The site recommends creating a security policy, having strict password guidelines, and requiring two-factor authorization.
The data leak included logs — “often with tokens, cookies, and metadata,” which makes it “particularly dangerous for organizations lacking multi-factor authentication or credential hygiene practices,” the Cybernews team said.
Meta offers a Privacy Checkup tool for users to review their privacy and security account settings. There, you can turn on two-factor authentication and ensure Meta alerts you of unusual logins.
Meanwhile, Telegram said its primary login method sends a one-time password to users over SMS.
“As a result, this is far less relevant for Telegram users compared to other platforms where the password is always the same,” a Telegram spokesperson told BI about the data leak.
Apple, GitHub, and Meta did immediately respond to a request for comment on the data leak. Google said it was directing users to some of the security resources above.
