Sign in Subscribe
Cybersecurity

16 Billion Credentials Leaked: Why Password-Only Auth Is Dead

16 Billion Credentials Leaked: Why Password-Only Auth Is Dead

If you have a password — and you almost certainly do — there is a reasonable chance it is now sitting in a dataset of 16 billion stolen credentials currently circulating on the internet. In mid-2025, researchers at Cybernews uncovered more than 30 exposed datasets containing over 16 billion username-password combinations, harvested over years by infostealer malware and aggregated from historical breaches. The data spans major platforms: Google, Apple, Facebook, GitHub, Telegram, Microsoft, and government services worldwide.

This is not a story about a single breach. It is a story about an industrialized supply chain of stolen identity — one that is powering ransomware attacks, account takeovers, and fraud at a scale the internet has never seen before. And it forces a question that the security industry has been dodging for years: Is password-only authentication finally dead?

What Exactly Is the 16 Billion Credential Leak?

Unlike the massive breaches of the past — Yahoo's 3 billion, Collection #1's 773 million — this is not the result of a single company being compromised. Instead, it is a compilation. Infostealer malware such as Vidar, RedLine, Raccoon, and Lumma Stealer have been quietly harvesting login credentials from infected personal computers for years. The stolen data was then aggregated with credentials from earlier public breaches and compiled into datasets that were ultimately hosted openly online.

As Hedgehog Security noted in their analysis, this compilation dwarfed Collection #1 by a factor of 20. The earlier 3.2 billion compilation from 2021 — once considered a catastrophic event — is now less than a quarter of this dataset. The implications are staggering: a significant proportion of every internet user's passwords are now available to attackers in a single, easily accessible package.

The primary victims are not just consumers. According to F5's analysis of the leak, credentials tied to corporate SaaS platforms, cloud services, and enterprise VPNs were prominently represented — making this a direct supply chain for corporate network intrusion.

How Do Infostealers Work, and Why Are They So Effective?

Infostealer malware is designed to do one thing: silently extract sensitive data from an infected machine. They target web browsers — Chrome, Firefox, Edge, Safari — where users store saved passwords, autofill data, session cookies, and credit card information. Many variants also harvest cryptocurrency wallets, take screenshots, and keylog typed passwords.

According to research from DeepStrike, infostealer activity surged 84% year-over-year in 2024, with 1.8 billion credentials stolen from 5.8 million infected hosts in just the first half of 2025 alone — an 800% increase compared to previous years. The Flashpoint 2025 Global Threat Intelligence Index confirmed this trend, reporting that ransomware incidents rose 179% and data breaches increased 235% in the first six months of 2025, with credential theft serving as the primary enabler.

The business model is alarmingly efficient. Stolen stealer logs sell for $1 to $100 each on dark web marketplaces and Telegram channels. Initial access brokers comb through these logs looking for corporate credentials, then sell network access to ransomware operators for $500 to $2,700. More than 54% of ransomware victims in 2024–2025 had their domain credentials appear in infostealer dumps before the attack — often within 48 hours of the initial theft.

The dominant malware families in 2025 include Lumma Stealer (the most prevalent, with advanced anti-sandbox evasion), RisePro (approximately 23% of infections), and StealC (approximately 13%). After the takedown of the once-dominant RedLine Stealer, these new families quickly filled the void — demonstrating the resilience and adaptability of the infostealer ecosystem.

Why MFA Alone Isn't Enough Anymore

The standard advice for years has been straightforward: enable multi-factor authentication. And MFA does help — significantly. But infostealers have evolved to bypass it.

The key technique is session cookie hijacking. When an infostealer harvests browser data, it does not just grab passwords — it steals session cookies and authentication tokens. By replaying these cookies, an attacker can access an account directly without needing the password or completing an MFA challenge. In 2024 alone, malware lifted more than 17 billion browser cookies, including authentication tokens.

Beyond cookie theft, attackers deploy MFA fatigue attacks — bombarding users with repeated push notifications until they approve one out of frustration. They exploit fallback flows like password resets and SMS-based recovery, which are often less protected than the primary login path.

According to F5's 2025 Advanced Persistent Bots Report, nearly one-third of all login attempts across their customer base were made using leaked credentials. Bots now account for over 10% of all web and API traffic, with credential stuffing and account takeover among the most common attack flows. Even organizations that have deployed MFA are not immune.

What Organizations and Individuals Should Do Now

The first step is a mindset shift: assume every password is already compromised. This is not paranoia — it is the operational reality of 2025. With 16 billion credentials in circulation, the question is not whether your password has been leaked, but whether anyone has tried to use it yet.

For organizations:

  • Enforce phishing-resistant MFA — passkeys, FIDO2 hardware tokens, and platform authenticators that cannot be harvested by infostealers. SMS-based OTP is no longer sufficient.
  • Monitor dark web markets and stealer log repositories for corporate credential exposure. If your employees' credentials appear in these dumps, you need to know before attackers do.
  • Deploy bot management and credential stuffing detection on login endpoints. Rate limiting and CAPTCHA are no longer sufficient on their own.
  • Prioritize endpoint detection tuned to credential theft behaviors. 46% of infostealer-infected devices were personal or BYOD devices used for work.
  • Reduce reliance on saved browser passwords — these are the primary target of infostealers.

For individuals:

  • Use a password manager with unique, random passwords for every account. Credential reuse is what makes compilation leaks devastating.
  • Enable hardware-based MFA where available (YubiKey, Apple FaceID passkeys, Google Titan).
  • Check whether your credentials appear in breach databases using services like Have I Been Pwned.
  • Be wary of phishing emails, fake browser updates (the ClickFix scam), and unsolicited software downloads — these are the primary infection vectors for infostealers.

Key Takeaways

  • 16 billion credentials were found aggregated from infostealer malware and historical breaches, dwarfing all previous compilation leaks by 5–20x.
  • Credential theft surged 800% in the first half of 2025, with 1.8 billion credentials stolen from 5.8 million hosts.
  • Ransomware rose 179% and data breaches increased 235% in the same period, with credential theft as the primary enabler.
  • Over 54% of ransomware victims had their credentials appear in infostealer dumps before the attack, often within 48 hours.
  • MFA bypass via session cookie theft is now routine — infostealers harvest billions of authentication tokens alongside passwords.
  • Passkeys and phishing-resistant MFA (FIDO2, hardware tokens) are now essential, not optional.

The 16 billion credential leak is not the end of passwords — people will continue to use them for years. But it is the definitive evidence that passwords alone are no longer a security control. They are simply one factor in a multi-layered authentication strategy. Organizations that treat them as sufficient are already compromised — they just don't know it yet.

Cover image by Jaikishan Patel on Unsplash.

Sources:

Related reading on ajianaz.dev:

Read next

Comments ()