Change your passwords now
Several large collections of login and password details from Apple, Facebook, Google, GitHub, Telegram, and other popular platforms and government services have surfaced online. Together they constitute one of the largest leaked datasets in the history of the internet, totaling around 16 billion exposed login credentials.
According to researchers at Cybernews who have been investigating these datasets and leaks, the data most likely originates from various infostealers, credential stuffing sets, and repackaged leaks. But there is no way to check how much data is truly unique. The datasets differ widely by size, geography, and language. For example, one of the biggest sets, containing around 3.5 billion records, seems to be related to the Portuguese-speaking population.
Ignas Valancius, head of engineering at cybersecurity company NordPass, comments:
“Users must be extra careful because information in the leaked datasets opens the door to pretty much any online service, from Facebook and Google to GitHub and Telegram. Even some government platforms were compromised.
“I recommend changing passwords immediately before the threat actors start poking around in your accounts. You need to act fast because platforms like Google, Apple, or Facebook are the gateways to your entire digital life, especially if you store passwords in browsers and don’t use multi-factor authentication (MFA) or passkeys.
“If hackers manage to get their hands on your password for Google, Apple, or Facebook, stealing your money and identity may be easier than taking candy from a three-year-old.
“And I am sure that such cases will occur. The problem is – people reuse passwords. As many as 62% of Americans, 60% of Brits, and 50% of Germans admit doing so across multiple online accounts, our survey shows. People who do reuse passwords should immediately change all of their passwords, not only those that were leaked.
“To check if your or your company’s credentials have been leaked, you can use our online free Dark web monitoring tool or our password manager with its built-in authenticator and credential and credit card monitoring tools.
“I would like to draw your attention to one more thing. After major data leaks, social engineering attacks tend to intensify, at least for a while. Breaches like this will probably expose a lot of people to social engineering attacks. So we all should be a bit more suspicious for some time.
“Be wary of unsolicited emails and messages, even if they seemingly are from Google, your bank, or even the police. If you receive such messages, be extremely careful because links can lead to pages that are designed to steal even more of your data. If you are not sure about the email or a message, it is better not to click on the link.
“Go directly to that company, organization, or agency’s website, log in there (or contact it directly via phone), and check if the message is real. Do not click on any links and do not reveal your data to unknown people calling you.
“And don’t get scared. Keep calm. Cybercriminals prey on confusion and ignorance. They try to scare people, hoping that victims will act on emotion. Don’t do that. Do not click on links that try to scare you or promise you riches.
“In social engineering attacks, threat actors seek to manipulate the emotions of their potential victims instead of targeting technical vulnerabilities. These sophisticated attacks can lead anyone to reveal sensitive data, unknowingly help cybercriminals bypass security measures, or install malware.
“While no one is fully immune to social engineering attacks, awareness and proper training can significantly mitigate risks. Threat actors often combine two elements: time pressure and emotion. Another common social engineering tactic is trying to establish trust with the message recipient. That’s why educating your team about social engineering threats is essential.
“I also recommend turning on multi-factor authentication. Anything – additional confirmation via email or phone, physical security keys, or biometric confirmation – is better than a password alone. And in cases like this, when passwords from digital gatekeepers leak, MFA could be your saving grace.
“Use passkeys wherever possible. Most future-forward websites allow logging in with passkeys, a new and alternative method of online authentication. This technology is currently considered the most promising alternative to passwords and is greatly supported by most tech giants, including Apple, Microsoft, and Google.”
Like this:
Like Loading...
Related
This entry was posted on June 20, 2025 at 10:04 am and is filed under Commentary with tags Nordpass. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Guest Post: Cybersecurity expert: 16 billion passwords leaked – this is one of the largest data breaches in history
Change your passwords now
Several large collections of login and password details from Apple, Facebook, Google, GitHub, Telegram, and other popular platforms and government services have surfaced online. Together they constitute one of the largest leaked datasets in the history of the internet, totaling around 16 billion exposed login credentials.
According to researchers at Cybernews who have been investigating these datasets and leaks, the data most likely originates from various infostealers, credential stuffing sets, and repackaged leaks. But there is no way to check how much data is truly unique. The datasets differ widely by size, geography, and language. For example, one of the biggest sets, containing around 3.5 billion records, seems to be related to the Portuguese-speaking population.
Ignas Valancius, head of engineering at cybersecurity company NordPass, comments:
“Users must be extra careful because information in the leaked datasets opens the door to pretty much any online service, from Facebook and Google to GitHub and Telegram. Even some government platforms were compromised.
“I recommend changing passwords immediately before the threat actors start poking around in your accounts. You need to act fast because platforms like Google, Apple, or Facebook are the gateways to your entire digital life, especially if you store passwords in browsers and don’t use multi-factor authentication (MFA) or passkeys.
“If hackers manage to get their hands on your password for Google, Apple, or Facebook, stealing your money and identity may be easier than taking candy from a three-year-old.
“And I am sure that such cases will occur. The problem is – people reuse passwords. As many as 62% of Americans, 60% of Brits, and 50% of Germans admit doing so across multiple online accounts, our survey shows. People who do reuse passwords should immediately change all of their passwords, not only those that were leaked.
“To check if your or your company’s credentials have been leaked, you can use our online free Dark web monitoring tool or our password manager with its built-in authenticator and credential and credit card monitoring tools.
“I would like to draw your attention to one more thing. After major data leaks, social engineering attacks tend to intensify, at least for a while. Breaches like this will probably expose a lot of people to social engineering attacks. So we all should be a bit more suspicious for some time.
“Be wary of unsolicited emails and messages, even if they seemingly are from Google, your bank, or even the police. If you receive such messages, be extremely careful because links can lead to pages that are designed to steal even more of your data. If you are not sure about the email or a message, it is better not to click on the link.
“Go directly to that company, organization, or agency’s website, log in there (or contact it directly via phone), and check if the message is real. Do not click on any links and do not reveal your data to unknown people calling you.
“And don’t get scared. Keep calm. Cybercriminals prey on confusion and ignorance. They try to scare people, hoping that victims will act on emotion. Don’t do that. Do not click on links that try to scare you or promise you riches.
“In social engineering attacks, threat actors seek to manipulate the emotions of their potential victims instead of targeting technical vulnerabilities. These sophisticated attacks can lead anyone to reveal sensitive data, unknowingly help cybercriminals bypass security measures, or install malware.
“While no one is fully immune to social engineering attacks, awareness and proper training can significantly mitigate risks. Threat actors often combine two elements: time pressure and emotion. Another common social engineering tactic is trying to establish trust with the message recipient. That’s why educating your team about social engineering threats is essential.
“I also recommend turning on multi-factor authentication. Anything – additional confirmation via email or phone, physical security keys, or biometric confirmation – is better than a password alone. And in cases like this, when passwords from digital gatekeepers leak, MFA could be your saving grace.
“Use passkeys wherever possible. Most future-forward websites allow logging in with passkeys, a new and alternative method of online authentication. This technology is currently considered the most promising alternative to passwords and is greatly supported by most tech giants, including Apple, Microsoft, and Google.”
Share this:
Like this:
Related
This entry was posted on June 20, 2025 at 10:04 am and is filed under Commentary with tags Nordpass. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.