Business

Home » Business

16 billion Apple, Facebook, Google, and other passwords leaked

Picture of Tshehla Cornelius Koteli

By Tshehla Cornelius Koteli

Business journalist

5 minute read

20 June 2025

05:01 pm

Information in the leaked datasets opens the doors to virtually any online service imaginable.

16 billion Apple, Facebook, Google, and Other Passwords Leaked

For illustrative purposes. Picture: iStock

Approximately 16 billion login passwords have been leaked, reportedly in one of the largest data breaches in history.

The Cybernews research team recently discovered the leak, revealing 30 exposed datasets containing tens of millions to more than 3.5 billion records each. In total, the researchers uncovered an unimaginable 16 billion records.

“With more than 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing,” researchers said.

What passwords were stolen?

According to Cybernews, researchers claim that most of the leaked datasets are a mix of details from stealer malware, credential stuffing sets, and repackaged leaks.

“However, the information that the team managed to gather revealed that most of it followed a clear structure: a URL, followed by login details and a password. Most modern infostealers – malicious software stealing sensitive information – collect data in exactly this way.”

Information in the leaked datasets opens the doors to virtually any online service imaginable, from Apple, Facebook, and Google to GitHub, Telegram, and various government services. “It is hard to miss something when 16 billion records are on the table.”

ALSO READ: Mediclinic’s employees’ data compromised. Investigations underway

Who owns the leaked passwords

Cybernews further states that it is unclear who owns the leaked data.

“While it could be security researchers that compile data to check and monitor data leaks, it is virtually guaranteed that some of the leaked datasets were owned by cybercriminals.

“Cybercriminals love massive datasets as aggregated collections allow them to scale up various types of attacks, such as identity theft, phishing schemes, and unauthorised access.

“We do not really know how many duplicate records there are, as the leak comes from multiple datasets.

“However, some reporting by other media outlets can be quite misleading. Some claim that credentials for Facebook, Google, and Apple were leaked. While we cannot completely dismiss such claims, we feel this is somewhat inaccurate.”

How to protect yourself in the aftermath

Here are ways to protect yourself after you suspect your password has been compromised:

  • Check the breach impact – when a data breach occurs, the first thing a user is advised to do is to check whether their data has been affected. There are modern security solutions which will enable the detection of leaked data and provide alerts to enhance security measures if necessary.
  • Change your passwords as soon as possible – in the event of a data breach, it is essential to change your passwords immediately and consider all other sites where the same password is being used.
  • Block and reissue your bank card, if necessary – if payment data was stored by a service that experienced a data breach, it is best to block and reissue a card for added security. Usually, reissuing a bank card does not take too much time and effort, therefore preventing a greater inconvenience.
  • Install a reliable password manager – a tool like a password manager creates strong passwords and stores them securely in an encrypted vault. Besides, it is enabled to monitor data leaks and check if users’ passwords were compromised.
  • Set a two-factor authentication – To protect an account from unauthorised access, it is highly recommended to set up two-factor authentication. This can be accomplished by receiving a confirmation via SMS, email, or using an authentication app or password manager that generates one-time codes.
  • Securely close unused accounts – if there are no plans to continue using a service after a data leak, it is advisable to delete the account and request the complete removal of all collected data by contacting technical support or the address in the Privacy Policy.
  • Share only the essential minimum of personal information online – as massive service leaks are not uncommon, it is recommended to minimise the information provided to a service. When you register, using a main email address is unnecessary: auto-substitution can be used instead. Additionally, if not required, omit the real name and address of residence.

NOW READ: Are you making password mistakes? Here’s what you need to know

Read more on these topics

apple Cybercrime google internet Meta (Facebook)

EDITOR'S CHOICE

South Africa Does South Africa need a political party led by Floyd Shivambu?
News ‘Engineered dysfunction’: City of Tshwane disconnects its own water reservoir for non-payment
Business Gupta-linked Saxonwold mansions head to auction after seven-year legal battle
News Clarity sought on alleged R700m cost of National Dialogue
Politics Shivambu says money stolen from MK party – and he won’t resign

Download our app

App Store badge Google Play Store badge

Get the latest news and updates on Whatsapp