The Biggest Password Leak of All Time – 16 Billion Login Credentials Exposed

It is a digital nightmare that is hard to surpass: On June 18 and 19, 2025, it became public that more than 16 billion stolen login credentials had surfaced online - an unprecedented incident in the history of IT security. The data comes from a patchwork of recent sources, automatically extracted by so-called infostealer malware and then compiled in a structured format. These malicious programs had previously been spread millions of times through booby-trapped websites, phishing emails, and tampered software downloads. The result: billions of login credentials - including URL, username, and password - were made available for sale or free download on underground platforms. The perpetrators have not yet been identified, but the damage is enormous - and global.

Affected accounts include those from Apple, Google, Facebook, X (formerly Twitter), Telegram, GitHub, banks, cloud services, and even government portals. Individual sub-archives contain up to 3.5 billion entries, and more than 30 such packages have been analyzed in total. Particularly alarming: a large portion of the logins dates from 2023 and 2024, meaning these are not outdated or "recycled" leaks. Security experts are sounding urgent warnings about a global surge in identity theft, phishing, extortion, and automated account takeovers. This leak is not an isolated event - it is a highly dangerous blueprint for digital attacks that had previously existed only in theory.

Anyone who fails to act now risks not only losing their privacy but also facing financial and professional harm. Every user should immediately change all passwords, especially for sensitive accounts like email, online banking, or social networks. Two-factor authentication (2FA) is essential - as is the use of secure password managers (e.g., Bitwarden, 1Password, KeePass). Services like "Have I Been Pwned?" should also be used to determine whether your own data has been compromised. If possible, users should switch to modern passkeys - they work without traditional passwords and are immune to phishing.