Incident Watch

16 Billion Passwords Leaked Online in Record Data Breach

A historic data breach exposed 16 billion passwords. Learn what happened, who's at risk, and how to protect your accounts right now.

What Happened: 16 billion credentials from Google, Facebook, Apple, GitHub, and others have been exposed online. Rather than being the outcome of a single breach, the data likely stems from a massive collection of infostealer malware logs and credential stuffing sets accumulated over time. 

Key Facts to Know: Datasets span 30+ sources, many previously unseen by cybersecurity professionals. Although each set is unique, the majority of records contain a URL, login details, and a password. 

  • The leak originated from infostealer malware, malicious software that captures login credentials from infected devices. 
  • These were compiled into supermassive datasets, some with over 3.5 billion entries.
  • Both Google and the FBI have issued alerts, urging password resets, passkey adoption, enabling MFA, and caution around potential phishing links

Why This Matters: Experts warn that this is a fresh, structured, and weaponizable data set. Large credentials leaks like these are often followed by a surge in cyberattacks. 

  • Adversaries use stolen passwords to commit a variety of attacks at scale. This includes account takeover (ATO), identity theft, highly-targeted phishing and business email compromise (BEC), and ransomware via lateral movement across SaaS environments
  • The interconnected nature of cloud and SaaS environments often amplifies the impact of these attacks. A single compromised credential can enable an adversary to move laterally across multiple critical systems. 
  • These risks aren’t limited to personal accounts. They present a direct and growing threat to corporate environments as well.

Taking a Step Back: 

  • Due to misconfigurations in SaaS and cloud environments, it’s alarmingly easy for sensitive data to unintentionally leak online. This includes anything from weak authentication methods, unused or dormant accounts, overly permissive policies, and ineffective monitoring. 
  • Threat actors use multiple methods to guess and steal credentials. Tactics range from phishing to social engineering to brute-force attacks. 
  • Cybersecurity is a shared responsibility. Many organizations assume that their credentials are safe if they’re stored with trusted providers like Apple or Google. Incidents like these show that organizations must take an active approach in configuring their environments.

How to Protect Yourself: 

  • For Individuals: 
    • Change any reused passwords immediately
    • Use a password manager and enable breach alerts
    • Switch to passkeys where possible (supported by Google, Facebook, and Apple)
    • Enable MFA on all accounts
  • For Organizations
    • Implement zero-trust models and privilege-based access controls
    • Monitor for unusual login patterns and leaked credentials
    • Audit thirty-party integrations and unused accounts
    • Train employees on social engineering awareness
  • For Obsidian customers: 
    • In the posture module, monitor rules such as:
      • Admins without MFA registered, or users bypassing MFA
      • Inactive administrator, superuser, or privileged accounts
      • Integrations with excessive privileges, new integrations added, or existing integrations that try to change scope
    • In the threat module, look for alerts such as:
      • Helpdesk social engineering password reset
      • Suspicious MFA addition
      • Login from rare country, or impossible travel
      • Anomalous infrastructure
    • Deploy the Obsidian browser extension to 
      • Block attackers from stealing SSO credentials through phishing 
      • Discover Shadow SaaS apps to address weak access controls
Download Now

Get Started

Start in minutes and secure your critical SaaS applications with continuous monitoring and data-driven insights.

get a demo