A cache of 16 billion login credentials has been discovered on the dark web, in what researchers say could be the largest data leak on record.
The breach was first reported by Cybernews, a Lithuania-based cybersecurity group that has been tracking the datasets since early this year. The trove includes email addresses, passwords, and account logins linked to social media platforms, developer tools, VPN services, banking systems, and government portals.
Researchers say the data spans 30 separate files, each containing between tens of millions and more than 3 billion records.
“These aren’t recycled breaches,” Cybernews said in a statement. “This is new data, organized and weaponizable at industrial scale.”
The credentials are believed to have been collected by infostealers — malware that extracts saved passwords and login sessions from infected devices.
Early analysis suggests the most affected regions include Portuguese-speaking countries, especially Portugal and Brazil. Other countries, including Italy and the U.S., may also be impacted, though confirmation is still pending.
Many of the records are formatted as URLs paired with usernames and passwords, making them easy to automate for account takeovers or resale on criminal marketplaces. Among the services potentially exposed are Apple, WhatsApp, Facebook, GitHub, Telegram, and online banking platforms.
“It’s a perfect starting point for phishing campaigns, identity theft, and mass unauthorized access,” Cybernews wrote.
What users should do
Security experts recommend users take the following steps immediately:
- Change passwords, especially for email, banking, and social accounts.
- Enable two-factor authentication (2FA) on every platform that supports it.
- Use a password manager to create unique, secure passwords.
- Monitor for dark web exposure using security tools or browser-integrated alerts.
- Consider switching to passkeys — a newer form of login that uses biometrics or secure device-based authentication.
