In a revelation that has sent shockwaves across industries, researchers at Cybernews uncovered a staggering 16 billion passwords leaked through 30 unsecured Elasticsearch instances and cloud storage datasets since January 2025. Each dataset ranged from tens of millions to an astonishing 3.5 billion records, making it one of the most significant data breaches ever reported. The leaked credentials have now emerged in underground forums, raising alarm across global cybersecurity networks.
The breach is linked to a combination of infostealer malware, credential stuffing datasets, and recycled leaks from previous cyber incidents. Bernard Montel, Technical Director and Security Strategist at Tenable, clarified the nature of the breach, stating: “Firstly, this is not a new data breach. It’s the result of threat actors’ use of infostealer malware that has silently scraped usernames and passwords during breaches. This data has been bundled, traded, and resurfaced across underground forums. That said, it’s no less concerning.”
Also read: Data Breach Alert – Millions of Android Phones in India Vulnerable
Montel further emphasized the risks posed by such breaches: “Using scripts, threat actors can trawl this treasure trove of information looking for patterns in passwords, but also credential reuse across multiple accounts. The latter is akin to a master key as it suggests the same combination will open multiple doors.”
The implications of this breach are particularly concerning for organizations. If the leaked records correlate with over-privileged identities, they can act as gateways to vast digital resources. Montel highlighted the importance of adopting an identity-first approach, stating: “Identities are the new perimeter given that compromised identities are at the center of nearly every successful cyberattack. Organizations must continuously validate permissions and access to prevent identity-based attacks before they occur.”
Also read: AT&T Data Breach – Nearly 73 Million Users Likely Impacted
For individuals, the leaked datasets serve as a reminder to adopt stronger cybersecurity practices. Users need to update their passwords across platforms and use unique, robust credentials to mitigate the risk of credential stuffing attacks. Links to major login pages, including Facebook, Google, Github, Zoom, and Twitch, among others, were identified within the datasets according to Cybernews. On the other hand, for businesses, this breach reinforces the need for continuous identity validation, least privilege access controls, and regular security audits to mitigate risks posed by leaked credentials.
