NEW YORK—A cybersecurity research team has uncovered 30 previously unreported datasets containing more than 16 billion login credentials, including usernames and passwords, exposed online, signaling a pervasive threat from infostealer malware.
The discoveries, made by Cybernews.com researchers, reveal “supermassive datasets” ranging from tens of millions to over 3.5 billion records each. The overall cache presents a “blueprint for mass exploitation,” according to the researchers, who warn that cybercriminals now have “unprecedented access” to credentials for various online services.
“This is fresh, weaponizable intelligence at scale,” Cybernews researchers stated, emphasizing that these are not merely recycled old breaches but current data.
The exposed information, a mix of details from infostealer malware, credential stuffing sets, and repackaged leaks, typically includes a URL, login details, and a password. It encompasses access to a wide array of platforms, from major social media sites like Facebook, Google, Apple, and Telegram to developer portals, VPNs, and government services.
While the datasets were exposed only briefly, long enough for researchers to identify them, the identities of those controlling the vast amounts of data remain unknown. Most were temporarily accessible through unsecured Elasticsearch or object storage instances.
Researchers cautioned that credential leaks of this magnitude fuel various cyberattacks, including phishing campaigns, account takeovers, ransomware intrusions, and business email compromise (BEC) attacks. They specifically highlighted the danger for organizations lacking multi-factor authentication or strong credential hygiene practices, given the inclusion of both old and recent infostealer logs, often with tokens, cookies, and metadata.
The largest individual dataset discovered reportedly contained over 3.5 billion records, possibly related to a Portuguese-speaking population, while another with over 455 million records hinted at Russian Federation origins. On average, each exposed dataset held approximately 550 million records.
The team acknowledged that overlapping records likely exist across the datasets, making it impossible to determine the exact number of unique individuals or accounts affected.
Users are advised to practice basic cyber hygiene, including using strong and frequently changed passwords, and to review their systems for infostealer malware to protect against potential data loss.
This recent discovery follows other major data exposures, including a “Mother of All Breaches” (MOAB) compilation of 26 billion records identified by Cybernews in early 2024, and the RockYou2024 password compilation last summer.
Photo via Pixabay
