16 billion logins and passwords leaked: researchers found the largest databases collected by infostealers

Researchers at Cybernews have discovered 30 public databases containing a total of more than 16 billion records containing user credentials. This data includes website addresses (URLs), logins and passwords, mostly stolen by keylogger malware known as infostealers.

Here's What We Know

The largest of the databases contained more than 3.5 billion records. The second largest had 455 million rows and the so-called "Russian database" had about 445 million. The data was in the public domain due to improperly configured Elasticsearch storage, public bucket and other poorly protected sources.

Among what was discovered are tens of millions of accounts from popular platforms including Apple, Facebook, Google, Gmail, Yahoo and Microsoft. Experts warn that these databases can be used for credential stuffing attacks (using the same password on different sites), phishing, and business email compromise (BEC attacks).

Cybernews previously reported on the leak of 184 million login-password pairs in May 2024, but the new findings are dozens of times larger.

The only recommendation to users is to change passwords and enable two-factor authentication and, of course, don't click on dodgy links.

Source: Cybernews