16 Billion Passwords Leaked: Data Breach Hits Google, Facebook, and More

Massive Leak of Login Credentials Leaves Billions Exposed

This isn’t just another routine data leak. Over 16 billion usernames and passwords—spanning Google, Facebook, Apple, GitHub, Telegram, government portals, and more—were just dumped on the web. If you thought your login was safe, think again.

Caught by researchers at Cybernews, this trove of exposed data came from infostealer malware—a sneaky type of software that silently harvests every piece of sensitive info it finds on infected devices. Instead of a breach from one big company, this disaster is a mosaic: billions of credentials scraped from individual users all over the world, bundled with login URLs, and, in many cases, extra goodies like browser cookies and session tokens.

The malware isn’t picky. If you use the same computer to check your personal email, shop online, or log into work tools—any service, really—your accounts could be in that pile. One twist that’s seriously worrying security pros: lots of stolen sessions let attackers waltz right in, bypassing two-factor authentication altogether, especially if companies don’t reset tokens when a password is changed.

How Fresh Is the Data—and Why Does It Matter?

Picture this like a data gold rush for cybercriminals. What makes this leak different? It isn’t old, recycled stuff. Experts say these records are new—the result of ongoing info-stealing campaigns. It’s not just the sheer scale (16 billion-plus) that’s stunning, but the timing: new stashes like this show up every few weeks now. The tools to steal info have improved, and so has the volume of data getting scooped up.

Many records aren’t just simple username-password combos. They often include the specific URL a person logged into, session data, and—crucially—cookies. Those bits can help hackers step around security protections or launch more convincing phishing attacks. The breach isn’t just a massive headache for regular folks; companies and government agencies are seeing their portals targeted, too.

Wondering what to do? Security researchers strongly recommend changing passwords everywhere—seriously, everywhere—and never reusing the same one across services. Enabling multi-factor authentication (MFA) is a must, but know its limits; if session tokens are floating around, even MFA isn’t a total shield. Keep an eye on unfamiliar logins or account changes. Any weird alerts from your services? Take them seriously.

The biggest tech players, from Google to Meta, now push passwordless logins. Methods like passkeys ditch the old password approach for safer options, reducing the risk from these colossal leaks. The lesson? Passwords, even long ones, are growing less reliable every day. Password security needs to evolve, and quickly, as criminals ramp up their game with every fresh breach.