The discovery of a massive cache of 16 billion stolen login credentials sent security experts digging to confirm whether they were indeed new as claimed – but whatever the truth, the takeaway is clear: it’s time to change passwords or consider passkeys.
News of the trove of credentials originally broke on Cybernews, whose security researchers Aras Nazarovas and Bob Diachenko said the “unimaginable” 15.98 billion login credentials were spread across 30 different data sets, each containing from 90 million to more than 3.5 billion entries.
The only one of the data sets that had appeared previously, they said, was a 184 million record database that was reported in May and contained, among other things, logins from Apple, Google, Facebook, banks, health services, and the Australian Department of Home Affairs.
The other 29 data sets, with names like ‘socialprofiles’ and RUScollections, were neatly organised in what the researchers said were signs that the data had been harvested from computers infected from ‘infostealer’ malware that scours and copies users’ web browser password repositories.
That level of organisation makes the data easy to tap for credential stuffing attacks, in which purpose-built software bots systematically feed login details to targeted social media, email, VPN services, corporate sites and other websites until a working combination is found.
The data set includes credentials for “pretty much any online service imaginable”, the researchers said, with other credentials including tokens, cookies, and metadata providing valuable additional intelligence for cybercriminal campaigns.
The sheer size of the breach meant the data set “is not just a leak,” the researchers said, but “a blueprint for mass exploitation…. Cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing.”
Cybernews published redacted screenshots of the leaked data to quell suspicions that the 16 billion entries were just warmed-up leftovers. Photo: Supplied
“What’s especially concerning is the structure and recency of these datasets,” they added, noting that “these aren’t just old breaches being recycled; this is fresh, weaponisable intelligence at scale.”
Looks fresh, but smells rotten
The collection of breached data isn’t the largest ever found – last year’s ‘mother of all breaches’ holds that title, with 26 billion records – but the assertion that its contents are new and current, rather than just a bundle of existing credentials that can be found elsewhere, sounded alarm bells.
Troy Hunt, CEO of breach tracker Have I Been Pwned?, was investigating but told Information Age “it’s not clear what proportion is previously unseen data; if I was to hazard a guess, the actual people impacted in any meaningful way is less than 1 per cent of the headline figure.”
Concern about the leak has run so rampant that even though it does not yet have the data so its visitors can check if they’ve been compromised, Hunt reported over a million visitors to the website in half a day.
Meanwhile, Cybernews doubled down by posting screenshots of the breached data as others argued that semantics aside, the main takeaway was, as always, that users should change their passwords and adopt additional security measures such as two-factor authentication (2FA) or passkeys.
A free pass for passkeys
It’s not the first time experts have called for caution after large-scale leaks of user credentials; indeed, for many observers the hysteria and guidance around this leak have long ago become business as usual.
The leak “is hardly a surprise,” said Brian Soby, chief technology officer at security firm AppOmni, who said that “for too long, we’ve relied on outdated security measures, and this is the predictable result.”
The real threat “is weaponisation of this data against the SaaS applications that form the backbone of our economy,” he said, adding that “large credential dumps such as these highlight just how many organisations remain vulnerable to credential attacks due to insufficient protections.”
Yet where systems administrators had few options in the past but pleading with users to change their passwords – and to stop using dangerously simple passwords – this credential dump comes amidst a crescendo of attention about passkeys that could make it time for many users to switch.
Seen as the basis of an often-discussed passwordless future, passkeys have surged in usage after broad support from major tech firms including Apple, Google, and Microsoft, and are set to become even more common after a major push from payments giant Mastercard.
The widespread concern prompted by such a large password leak is a golden opportunity for passkeys – which Australian Cyber Security Centre (ACSC) describes as “a faster and more secure way to log into your online accounts than using passwords.”
