
16 Billion Password Breach: Check If You’re Affected
If you’ve been online this week, you’ve seen the headline: 16 billion passwords leaked — but this is a compiled arsenal of stolen credentials gathered over years, not a single breach. Understanding what that means is the first step to protecting yourself.
Total leaked credentials: 16 billion ·
Date of disclosure: June 2025 ·
Affected platforms: Google, Facebook, Apple ·
Primary risk: Credential stuffing attacks
Quick snapshot
- 16 billion credentials published on a hacking forum (Forbes)
- Compilation of roughly 30 previous datasets, not a single new breach (GRC Solutions)
- Includes credentials for Google, Apple, Facebook, and government portals (Cybernews)
- How many passwords in the leak are currently active vs. old and expired
- How many unique passwords are contained in the dataset (many are duplicates)
- The full scope of credential stuffing attacks already underway because of this release
- June 2025: A dataset of 16 billion credentials is shared on a cybercrime forum (Forbes)
- June 20–23, 2025: Cybersecurity firms like McAfee and Kaspersky confirm the leak and warn users (GRC Solutions)
Five key facts frame this massive leak:
| Stat | Detail |
|---|---|
| Total leaked credentials | 16 billion |
| Reported date | June 2025 |
| Source of leak | Cybercrime forum, compilation of past breaches (GRC Solutions) |
| Included platforms | Google, Facebook, Apple, government services (GRC Solutions) |
| Risk type | Credential stuffing and phishing (Cloudflare) |
Is it true that passwords have been leaked?
What do we know about the scope of the leak?
- The dataset is a compilation, not a single hack. GRC Solutions tracked roughly 30 distinct datasets combined into one file.
- The leak affects users of almost every major platform. Forbes reported the data includes credentials for Google, Apple, Facebook, and hundreds of other services.
- At 16 billion records, this is widely regarded as the largest collection of stolen credentials ever assembled.
The sheer volume makes it a valuable resource for attackers—but the compilation nature means it’s largely old data aggregated over years, not a single dramatic intrusion into a current system.
How reliable are the initial reports?
The core facts are well-sourced: Forbes, Cybernews, and security vendors McAfee and Kaspersky have all investigated and verified the leak’s existence and scope. What remains unverified is the exact proportion of the data that is immediately useful for account takeovers.
Cybersecurity experts widely agree that the dataset represents a serious threat. Kaspersky noted in its analysis that users should act immediately, and McAfee confirmed the leak’s immense scale. The consensus is clear: the data is real, and it is dangerous.
How did 16 billion passwords get leaked?
Was it a single breach or a collection?
- According to GRC Solutions, the dataset is an aggregate of roughly 30 different caches of stolen credentials.
- Forbes confirmed the data was compiled from multiple infostealer operations, not a single system breach.
- The records were collected over several years, meaning the data ranges from very recent to a decade old.
This is a crucial distinction: no single company was hacked to produce this trove. Instead, it’s an encyclopedia of previous failures.
Who published the data?
- The data was posted on a well-known cybercrime forum.
- Forbes reported the thread has since become a central resource for credential stuffing attacks.
- The identity of the publisher remains unknown.
Posting stolen data on forums is a standard tactic in the cybercrime economy, used to establish reputation or simply to disrupt.
What is a credential compilation?
Think of it like a burglar who has collected skeleton keys from every job site he’s ever visited. He didn’t break into your house to get your key specifically—but he probably has one that fits your lock.
A credential compilation is exactly what it sounds like: a giant spreadsheet of usernames, emails, and passwords assembled from decades of data breaches and infostealer logs. GRC Solutions notes that collections like these are the primary fuel for automated account takeover attacks. This particular compilation, per Cybernews, contains individual datasets ranging from tens of millions to more than 3.5 billion records.
The pattern: We are seeing a shift from targeted hacking to industrial-scale credential aggregation. Attackers don’t need to breach your bank directly if they already have the password you used there from a forum account you made in 2018.
How to check the 16 billion passwords leaked?
Using Have I Been Pwned?
- Have I Been Pwned is a free, widely trusted service that lets you search across billions of known breach records.
- Its Pwned Passwords feature allows you to check if a specific password has appeared in a compromised dataset without exposing the password itself, using a method called k-anonymity.
- If this compilation has been indexed, your email or password will return a result immediately.
Checking your email address
- SecurityScorecard advises users to visit Have I Been Pwned and enter their email address.
- The service will immediately show which previous breaches your credentials have appeared in.
- If your email isn’t listed yet, check back over the coming weeks as security researchers ingest the new data.
Using password manager tools
- F-Secure offers a free identity-theft checker that scans for your personal information in known breaches.
- Many modern password managers, such as the one built into Google Chrome, automatically alert you if your saved passwords appear in a new leak.
- Google’s Password Checkup is a built-in tool for Android and Chrome users that runs a silent scan against known breach databases.
For more on verifying large data exposures, see our Epstein Files analysis.
Do I need to worry about the password leak?
Who is at risk?
- If you reuse passwords across multiple sites, you are at high risk.
- Cloudflare explains that credential stuffing relies entirely on password reuse.
- If your login from a breached forum in 2018 is the same as your current email password, your email account is effectively compromised.
What are the consequences of credential exposure?
An exposed password on a low-value site can cascade into a hijacked email account, which can then be used to reset passwords on your bank, social media, and work accounts. This is the core danger of credential stuffing.
How credential stuffing works
- Imperva defines credential stuffing as the automated injection of stolen username/password pairs against website login forms.
- Attackers use bots to rapidly test billions of combinations, relying on the fact that people reuse passwords.
- These automated attacks are designed to look like normal traffic, making them hard to block without dedicated mitigation tools. (GRC Solutions)
The trade-off: Convenience versus security. Every reused password lowers the barrier for an attacker. The decision to use unique passwords is a direct bet against a very specific, very probable attack vector.
What to do after the 16 billion passwords data breach?
Change passwords on all important accounts
- Start with your email accounts. If an attacker gets your email, they can reset everything else.
- Next, prioritize financial accounts: banking, investing, PayPal.
- Finally, change passwords on social media and shopping accounts.
Google Support recommends running a Security Checkup and Password Checkup to identify all compromised passwords across your Google account at once.
Enable two-factor authentication
- OWASP states that multi-factor authentication (MFA) is the single most effective defense against credential stuffing attacks.
- OWASP cites Microsoft analysis indicating MFA would have stopped 99.9% of account compromises.
- Enable it on email, banking, and any platform that offers it—especially those using authenticator apps or hardware keys.
Use a password manager
- Password managers generate and store unique, complex passwords for every site.
- This completely eliminates the risk of credential stuffing because no password is ever reused.
- Most managers also have a built-in security dashboard that alerts you if a stored password appears in a known breach.
For related device security tips, see our iPhone network reset guide.
Monitor accounts for suspicious activity
- Check your recent login history on critical accounts.
- Set up notification alerts for new device logins wherever possible.
- SecurityScorecard recommends watching for breach notification emails from services you use.
Confirmed Facts vs. What’s Unclear
Confirmed facts
- 16 billion credentials were posted on a cybercrime forum (Forbes).
- The dataset includes passwords from Google, Facebook, Apple, and thousands of other sites (GRC Solutions).
- The leak is a compilation of roughly 30 previous breaches, not a single new intrusion (Cybernews).
- Credential stuffing attacks using the data are already being observed (Imperva).
What’s unclear
- The exact number of unique passwords: many records are duplicates.
- Whether the dataset contains actively used passwords or mostly old, expired ones.
- How many users will actually be targeted by credential stuffing attacks in the coming weeks.
- The identity of the person or group who uploaded the dataset.
What Security Experts Are Saying
The 16 billion-credential cache was assembled from roughly 30 datasets, with individual datasets ranging from tens of millions to more than 3.5 billion records.
Multi-factor authentication is the best defense against most password-related attacks, including credential stuffing and password spraying.
Credential stuffing is a cyberattack that uses stolen login credentials from one breach to gain access to accounts on other services.
The 16 billion password leak is a wake-up call for anyone who has ever used the same password on more than one website. The security industry has the tools to stop credential stuffing cold—password managers, multi-factor authentication, and breach monitoring services. The weak link is human nature. For anyone still relying on a handful of shared passwords, the choice is stark: adopt a password manager and multi-factor authentication today, or accept the near-certainty of an account takeover tomorrow.
Frequently asked questions
Is the 16 billion password leak the largest of all time?
Based on the number of records, it is the largest compilation of stolen credentials ever seen. The sheer scale—16 billion records—surpasses previous mega-breaches like Collection #1-5, which contained over 22 billion records but was focused on fewer platforms. This compilation spans thousands of sources and represents a historic aggregation of credential theft.
How can I tell if my account was affected by the 16 billion password leak?
The easiest way is to visit Have I Been Pwned and enter your email address or check your passwords against the Pwned Passwords database. You can also use Google’s Password Checkup or a password manager’s security dashboard to scan for compromised credentials.
Should I change all my passwords or only those on compromised sites?
A compromise on one site puts all accounts where you reuse that password at risk. The safest approach is to change passwords on every account that shares a password with a compromised credential. A password manager makes this process manageable by generating unique, strong passwords for each site.
What websites were most impacted by the leak?
The leak includes credentials from almost every major category of website: email providers, social networks (Google, Facebook), consumer tech (Apple), VPN services, developer portals, and government websites. The sheer breadth of platforms represented is what makes the dataset uniquely dangerous for credential stuffing attacks.
What is credential stuffing and how do I protect against it?
Credential stuffing is an automated attack where bots use stolen username/password pairs to try to log into other services. The only effective protection is to never reuse passwords across different websites and to enable multi-factor authentication wherever possible. Password managers are the best tool for achieving this.
Does the leak include credit card or financial information?
The reported dataset primarily contains usernames, email addresses, and passwords. Financial information like credit card numbers is not a major component of this specific compilation. However, an account takeover enabled by a leaked password can still expose your financial information stored within a hijacked account.
How long does it take for hackers to exploit leaked passwords?
Attackers frequently begin credential stuffing attacks within hours of a dataset becoming public. The window between the leak and active exploitation is extremely tight, which is why immediate action is recommended. Proactive users who change passwords in the first 48 hours significantly reduce their exposure.