16 Billion Leaked Passwords from Apple, Facebook, Google in 2025 Expose Unprecedented Risk, Research Warns

An investigation of the Forbes , updated with statements from security experts, revealed what may be the largest leak of login credentials in the history of the internet: a staggering 16 billion passwords and logins exposed.

The discovery was made by researchers at Cybernews, who have been monitoring the case since the beginning of the year. According to Vilius Petkauskas, a representative of the investigation team, the data was collected from 30 sets of exposed databases, some containing up to 3,5 billion individual records. The total number of leaked credentials is unprecedented.

This information includes social media logins, VPNs, developer portals, email services, and even government platforms, involving virtually every major global technology provider.

The report notes that most of the data had never been reported as part of a previous breach, with the exception of a batch of 184 million passwords that was previously disclosed last month. The analysis indicates that the breach is the result of multiple infostealers, malware that specializes in capturing credentials.

“This is not just a leak – it is a blueprint for mass exploitation,” the researchers warned, noting that the data was structured in a way that makes it easy to carry out phishing attacks and account takeovers.

Darren Guccione, CEO and co-founder of Keeper Security, told Forbes that the scale of this exposure underscores the growing risk: “It’s a reminder of how easy it is for sensitive data to be unintentionally exposed online.” Guccione also warned of the risk of misconfigured cloud environments that could hide other similar databases.

The executive recommended that both consumers and companies adopt strict measures, such as the use of password managers, dark web monitoring tools and the implementation of zero-trust security models. According to him, the focus should be on ensuring that all access to sensitive data is authenticated, authorized and recorded.

For security awareness specialist Javvad Malik of KnowBe4, this moment demands extra attention: “Organizations need to do their part in protecting users, and people must remain vigilant for any attempts to steal credentials.”

The warning is clear: Change your passwords, enable multifactor authentication, and whenever possible, adopt passkeys as an extra layer of protection.

With information from Forbes.