The World’s Largest Credential Leak Hits 16 Billion Records

In June 2025, cybersecurity researchers uncovered a colossal credential leak, exposing 16 billion stolen login credentials across 30 separate databases – the largest such breach on record. The trove, discovered by the Cybernews research team, appears to originate from a cocktail of infostealer malware logs, credential-stuffing compilations, and repackaged old leaks. The exposed records are structured by website URL, username, and password, granting potential access to virtually every type of online service, from Apple, Google, and Facebook accounts to VPNs, developer portals, and even government platforms. 

In other words, almost nothing was left out of this breach. Unlike recycled credential dumps of the past, a lot of these records (with exclusion of some) come straight from recent infostealer malware logs and include active session tokens, authentication cookies, and other metadata that make them immediately useful to attackers. With over 16 billion credentials now floating around, threat actors have unprecedented access for account takeovers, identity theft, and highly targeted phishing campaigns at an industrial scale. The inclusion of up-to-date infostealer data is particularly dangerous – any organization not enforcing strong password hygiene and multi-factor authentication (MFA) could be one reused password away from a serious breach.

Infostealers are a class of malware built to covertly siphon sensitive information from infected devices. Once an infostealer infiltrates a system, it typically scours the device for valuable data like saved login credentials, system information, and even financial details. This malware type primarily targets data stored in web browsers and applications. For example, they can pilfer stored usernames and passwords, browser cookies that keep users logged in, autofill data, and credit card numbers. A lot of infostealers also comb through files on disk looking for things like cryptocurrency wallet keys, authentication token files, VPN logins, cloud service keys, and personal information (IDs, addresses, etc.). By stealing authentication cookies or tokens, attackers can sometimes bypass MFA by hijacking active sessions. 

Once collected, the stolen data is quietly exfiltrated from the victim’s machine to the attacker’s command-and-control (C2) server or cloud storage. There it is compiled into data batches often referred to as “logs”. A popular underground economy exists to sell and trade these infostealer logs on dark web forums and illicit marketplaces. Infostealer operations often run as malware-as-a-service (MaaS): cybercriminal developers offer ready-made infostealer kits (RedLine Stealer, Raccoon, Vidar, and others) to affiliates, who then distribute the malware widely. The affiliates in turn receive caches of stolen data (logs) from each infected machine, and these logs are sold in bulk on platforms like Telegram channels or dark web sites.

In practice, attackers employ a variety of infection vectors, often relying on social engineering and the abuse of legitimate web services. Phishing emails with booby-trapped attachments or links remain a primary method: an unsuspecting user clicks a file (disguised as a document, installer, or invoice) and unknowingly runs the infostealer malware. Another major avenue is malvertising: cybercriminals embed malicious ads or search engine results that redirect users to malware downloads. 

One campaign illustrates the scale of these tactics: Microsoft Threat Intelligence reported a large malvertising operation in late 2024 that attempted to deploy info-stealing malware to nearly one million devices globally. In that case, illegal streaming websites were seeded with malicious ads that funneled viewers through a chain of redirects, ultimately tricking them into downloading an infostealer hosted on platforms like GitHub. 

The campaign targeted both consumers and enterprises indiscriminately, showing how attackers leverage popular lures (like free movies or software) to infect a broad victim pool. Beyond ads and emails, threat actors also use SEO poisoning (creating fake pages that rank high on search results for popular downloads), malicious browser extensions, and dropper malware that plants infostealers as a second-stage payload. The common theme is exploiting trust and curiosity, whether via a convincing email or a tempting free download, to execute the stealer on the victim’s device.

The aftermath of an infostealer infection extends far beyond the initial victim. Once credentials and data are stolen en masse, they feed into a larger cybercrime ecosystem. Aggregated leaks like the 16 billion-record breach are a direct result of infostealer operations funneling countless individual logs into collective databases over time. In the recent 16B case, researchers discovered 30 huge datasets exposed on unsecured cloud servers, averaging over 500 million records each, which had been compiled from separate malware campaigns. 

Some of these databases likely represent the inventory of criminal groups accumulating stolen data, which either got leaked or was being readied for sale. Cybercriminals merge fresh infostealer logs with older breach lists and credential dumps, creating these mega-databases that are then traded, sold, or sometimes accidentally left exposed online.

Armed with stolen logins, attackers can automate credential stuffing attacks to hijack accounts on other platforms (because many people reuse passwords). They can create highly targeted phishing emails or scams using personal details to increase credibility. Access to a single employee’s login from an infostealer log can provide a foothold for a larger network breach or ransomware attack.

The 16 billion record leak, for instance, included not only passwords but also session cookies and MFA tokens in some cases. Such data allows criminals to bypass security measures and impersonate users directly, drastically increasing the success rate of follow-on attacks. In essence, infostealer malware has become a key supplier of the raw materials (credentials and identity data) that enable the wider cybercriminal operations we see today. Without better protection, new massive datasets will continue to emerge every few weeks as infostealer infections proliferate.

Given the pervasive threat of infostealers, defense can’t rely on just cleaning up after breaches – organizations need to prevent data theft at the source. This is where on-device defense and anti data exfiltration strategies come into play. One example is BlackFog’s solution, which focuses on blocking outbound data theft and unwanted trackers directly on the endpoint. BlackFog’s approach is proactive: it continuously monitors all outgoing traffic from a device and blocks any unauthorized data transfers in real time, effectively stopping infostealers from exfiltrating stolen information. 

In simple terms, it ensures that what happens on your device stays on your device – even if malware manages to infiltrate, it cannot phone home with your passwords or personal files. This kind of outbound protection is important, because a lot of malware strains operate stealthily and may evade traditional antivirus detection. By focusing on the behavior (data exfiltration) rather than just known malware signatures, on-device solutions like BlackFog can neutralize new or fileless infostealers before any damage is done.

Another key aspect is cutting off the avenues that infostealers use to spread and gather data. BlackFog’s defense includes measures to prevent web-based profiling and malvertising from compromising user privacy. BlackFog blocks over 99% of web advertisements, shutting down a major distribution channel for malware. This reduces exposure to malvertising campaigns and drive-by download attacks. BlackFog thwarts background data collection by web trackers and profilers, so that third-party advertisers (or hidden scrapers) cannot harvest sensitive information devices.

In order to get started, schedule a demo with BlackFog to protect against infostealer breaches.