In June 2025, security researchers discovered what might be the single largest collection of stolen credentials ever assembled. Over 16 billion passwords and login combinations from Google, Apple, Facebook, and thousands of other platforms were compiled into one massive dump and released on criminal forums.
To put that in perspective, there are about 8 billion people on Earth. This leak contained two passwords for every human alive.
> Where Did 16 Billion Passwords Come From
This was not a single hack. It was a compilation. Years of stolen data from multiple sources all stitched together into one searchable database. The credentials came from three main places:
Infostealer malware. These are programs that silently install on your computer or phone and record every password you type. They steal saved passwords from your browser, session cookies from your apps, and autofill data from your password manager. The malware often arrives through cracked software downloads, fake browser extensions, or phishing links.
Prior data breaches. Every major breach from the last decade contributed. LinkedIn, Adobe, Dropbox, MyFitnessPal, Canva, and hundreds of others. Old passwords that people never changed got rolled into this collection.
Phishing kits. Automated phishing operations that send millions of fake login pages every day. When someone enters their credentials on a fake Google or Facebook login page, those details go straight to the attacker's database.
> Why This Matters Even If You Changed Your Password
You might think you are safe because you changed your password last year. But infostealers do not just grab passwords. They grab session tokens. A session token is what keeps you logged into a website without typing your password every time. If an attacker has your session token, they can access your account without ever knowing your password. Changing your password does not always invalidate old session tokens.
The other problem is password reuse. Studies show that 65% of people use the same password across multiple accounts. If your Gmail password from 2019 is in this dump, and you used that same password for your bank, your crypto exchange, or your work email, all of those accounts are now vulnerable.
> What Criminals Do With This Data
They do not sit there manually trying passwords one by one. They use automated tools called credential stuffing bots. These bots take email and password pairs and try them against hundreds of websites simultaneously. Banks, streaming services, shopping sites, crypto platforms. The success rate is typically 0.1% to 2%, which sounds low until you realize that 2% of 16 billion is 320 million successful account takeovers.
Compromised accounts get used for financial fraud, identity theft, launching further phishing attacks, or simply sold to other criminals. A working Netflix account sells for about $3. A working bank login sells for $50 to $500 depending on the balance.
> Protect Yourself Right Now
1. Use a password manager. Generate unique passwords for every single account. If one gets compromised, the rest stay safe.
2. Enable two factor authentication everywhere. Even if someone has your password, they cannot get in without the second factor. Use an authenticator app, not SMS (SIM swapping makes SMS codes unreliable).
3. Check what is already exposed. You cannot fix what you do not know about. Run a scan on your name and email to see which breaches have already caught your data.
4. Log out of old sessions. Most platforms let you view active sessions and sign out of all devices. Do this periodically, especially after a major breach like this one.
5. Stop reusing passwords. Seriously. This is the number one reason credential dumps work. One leaked password should not compromise your entire digital life.