Category: Cyber Security | Published: 2025-07-03
Two Login Credentials for Every Person on Earth
Security researchers at Cybernews have uncovered an unprecedented cache of login data scattered across unsecured web databases. These exposed collections, some open to the internet only briefly, were mostly hosted on misconfigured Elasticsearch instances or cloud object storage services, making them accessible without authentication.
All but one of the 30 datasets involved in the breach had not been reported previously. Combined, they include roughly two login credentials for every person on Earth!
A Blueprint For Mass Exploitation
_“This is not just a leak – it’s a blueprint for mass exploitation,”_ said the Cybernews team, who have been tracking the breach since early 2024. _“The structure and recency of these datasets make them particularly dangerous.”_
From Apple, Google, Facebook, and More
While large-scale data breaches have become disturbingly common, this incident stands out for the freshness of the data and the scope of what’s included. For example, Cybernews has reported that the breach includes login credentials drawn from a huge range of services including Apple, Google, Facebook, GitHub, Telegram, VPNs, and even government portals.
More Than Just Usernames and Passwords
The datasets primarily consist of credentials stolen by infostealers, i.e. a type of malicious software designed to extract sensitive information from infected computers. Once installed (often via phishing emails, fake software updates, or pirated software), infostealers scan the victim’s device for stored logins, cookies, authentication tokens, and autofill data. These details are then quietly sent back to attackers’ servers.
In most cases, Cybernews reports that the stolen data is structured in a familiar format, i.e. the website URL, the username or email address, and the associated password. Some records are reported to include extra metadata, such as session cookies or two-factor authentication tokens, which can significantly aid attackers in bypassing security protections.
Cybernews estimates that some overlap exists between datasets, but even conservative estimates suggest billions of distinct login records are involved. The largest single collection, linked to a Portuguese-speaking population, holds over 3.5 billion records. Others are named generically (such as _“logins”_ or _“credentials”_) while some reference specific services like Telegram or locations such as the Russian Federation.
Who’s Behind It and Who’s Affected?
It appears that the origin of these leaked datasets remains murky. Although some may have been compiled by cybercriminals intent on launching mass-scale phishing or credential stuffing attacks, others could belong to grey-hat researchers, aggregating leaked data for academic or threat intelligence purposes. However, it should be noted that the absence of clear attribution makes them no less dangerous.
Cybersecurity experts have warned that even if only a fraction of the 16 billion records are actively exploited, the consequences could be severe. Identity theft, business email compromise (BEC), unauthorised access to cloud services, ransomware attacks, and financial fraud are all plausible next steps.
A significant concern is that many users still reuse the same password across multiple sites (known as ‘password sharing’). Attackers often employ credential stuffing, a tactic that involves testing stolen username/password pairs against a wide range of sites, hoping users have reused credentials elsewhere.
The impact is not likely to be just limited to individual consumers. Businesses, particularly those lacking multi-factor authentication (MFA) or modern password management protocols, are at risk of full-scale account takeovers. These in turn could lead to data theft, service disruption, or reputational damage.
What Tech Companies and Security Experts Are Saying
So far, most affected companies have not issued individual statements, probably because the breach is not tied to a specific platform or service – the leak is an aggregation of credentials siphoned off via malware over time.
However, the Cybernews team and other researchers have voiced serious concern. _“Credential leaks at this scale are fuel for phishing campaigns, ransomware intrusions, and business email compromise,”_ the team said in its public briefing. _“The inclusion of both old and recent infostealer logs – often with tokens, cookies, and metadata – makes this data particularly dangerous for organisations lacking multi-factor authentication or credential hygiene practices.”_
Security vendor Malwarebytes described the incident as _“a wake-up call”_ for both users and companies. _“This is a stark reminder that infostealer malware remains an enormous threat and that misconfigured cloud services continue to expose sensitive data at scale.”_
More of a ‘Combolist’
Some experts have cautioned against treating the breach as a single event, noting that it is better understood as a massive combolist, i.e., a curated aggregation of multiple smaller leaks. Even so, the potential for harm remains high.
Why This Breach Is Different and What Comes Next
Unlike older breaches which often contain outdated or previously exposed data, these records are mostly new. Only one of the 30 datasets had been reported before (a 184 million-entry trove covered by Wired in May). The rest have emerged only recently, some in the last few weeks, suggesting that infostealer activity is ongoing and highly active.
Not Indexed Yet
At the moment (it’s still early days since the discovery), compounding the risk is the lack of visibility. Many of the exposed credentials have not yet been indexed by breach monitoring services or browser alert systems, meaning users aren’t being automatically notified if their details are among those leaked.
Also, because the databases were reportedly only briefly exposed, researchers say they could not determine who held or uploaded the data, nor whether it has already been downloaded or traded on criminal forums.
What Should Users and Businesses Do Now?
For individual users, the recommendations are fairly straightforward but urgent and they probably echo most of the points of security good practice around breaches. For example:
– Immediately change passwords on any accounts using duplicated or weak credentials.
– Use a password manager to generate and store complex, unique passwords for every service.
– Enable multi-factor authentication (MFA) wherever possible.
– Monitor for phishing emails or unusual account activity, especially logins from unfamiliar locations or devices.
– Run antivirus and anti-malware tools to scan for potential infostealers on your system.
For businesses, the stakes are higher. Implementing stronger access controls, requiring MFA across all services, and deploying endpoint detection tools are worthwhile steps. Regular audits of privileged access accounts, secure cloud configurations, and employee training on phishing threats are also essential.
Experts also recommend checking employee and corporate credentials against breach monitoring services such as Have I Been Pwned or Cybernews’ Leaked Database Checker.
Could Big Tech Be Doing More?
Looking at where many of these stolen credentials came from, it’s perhaps not surprising that there is growing pressure on tech platforms to go beyond offering MFA as an optional feature. Some experts are calling for default-on MFA policies, improved session token management, and better user alerts for credential misuse. Others suggest that browser makers could more aggressively warn users about unsafe passwords, even when stored locally.
Cloud service providers also face scrutiny. Fo