On June 18, 2025, researchers revealed that over 16 billion usernames and passwords from major services—like Apple, Google, Facebook, GitHub, Telegram, and government platforms—were exposed in a massive online data leak. This is one of the largest credential leaks ever discovered.
What Happened
Cybersecurity experts from Cybernews found 30 separate datasets containing between tens of millions to over 3.5 billion login credentials each. These were not remnants of old breaches but fresh data likely gathered via malware that steals credentials from infected devices.
“This is not just a leak – it’s a blueprint for mass exploitation,” the researchers said via Forbes this week. “These aren’t just old breaches being recycled. This is fresh, weaponisable intelligence at scale.”
Why This Matters
If your username and password appeared in this leak, criminals could:
- Access your online accounts by trying the credentials (credential stuffing)
- Send targeted phishing messages to steal more information
- Create fake accounts or recover accounts in your name
And because many people reuse passwords, the risk can multiply across all your accounts.
Immediate Actions You Can Take
- Change Your Passwords Now
Start with accounts that use your standard or simple passwords. Choose strong, unique passwords for each account. - Use a Password Manager
A password manager helps you create and store unique, hard-to-guess passwords — so you only need to remember one. - Enable Two-Factor or Multi-Factor Authentication (2FA/MFA)
Add a second layer of security, such as a text message code, authenticator app, fingerprint, or security key. This helps even if your password is compromised. - Consider Using Passkeys
Passkeys use your phone or fingerprint instead of a password. They resist phishing and are becoming available on services like Gmail and YouTube. - Watch for Suspicious Activity
Monitor your accounts for unusual sign-ins or password reset emails you didn’t initiate. - Beware of Phishing Scams
Even if your data wasn’t leaked, this incident may be used by criminals. Don’t click unexpected links in texts, emails, or social media. If in doubt, go directly to the website rather than clicking a link.
Why Long-Term Protection Matters
Large credential leaks like this one happen more often than most people realize—and they don’t stop at passwords. Credentials can be sold on the dark web, used for scams, and leveraged to break into additional accounts.
Lynette Owens is Vice President of Consumer Education & Marketing at Trend Micro and Founder of the company's signature Internet Safety for Kids and Families program. With 30+ years in the tech industry, Lynette oversees global initiatives to help deliver the technology tools and education that people of all ages need to keep themselves and their families safe online. She serves on the advisory boards of the Identity Theft Resource Center's Alliance for Identity Resilience, the Global Anti-Scam Alliance, and INHOPE.