16 Billion Apple, Facebook, Google and Other Passwords Leaked

All Apple, Facebook and Google users are being told to change their passwords right now – after a colossal leak exposed as many as 16 billion logins.

It's being called one of the largest data breaches in history, giving hackers "unprecedented access" to your personal info and online accounts, experts warn.

Worryingly, this isn't just old info that's been repackaged, but is "recent" data belonging to unsuspecting victims, according to CyberNews.

The shocking invasion of privacy has been branded a "blueprint for mass exploitation".

Logins for Instagram, Microsoft, Netflix, PayPal, Roblox, Discord, Telegram, GitHub and various government services in more than 29 countries, including the UK and US, have also been affected.

Crooks can use this deeply private info to carry out bank-raiding scams, fraud, spam attacks and more.

Security pros at CyberNews uncovered the trove of 16 billion datasets with vague names like 'logins' or 'credentials,' making it hard for the team to work out exactly what info they contained.

The Real Steal

There's no suggestion that any of these apps were breached or hacked themselves, however.

The records were most likely pulled together by cyber crooks using "infostealer" malware.

That's a sinister type of computer program that breaches computer systems to steal your login details, financial details, and other personal info.

It can infect devices belonging to regular users, scooping up their info. Maybe you clicked a suspicious link or downloaded a dodgy app – and then an infostealer ran riot on your system, silently collecting hundreds of log-ins.

And this info can then be dumped into a massive database that is valuable to cybercriminals.

Cash Me if You Can

Cybercriminals often pay big sums of money for a haul like this, as it allows them to target large numbers of victims quickly.

But it's also possible that the data was scooped up by "white hat" hackers – ethical computer whizzes trying to hunt down security problems.

A staggering number of individuals likely had at least some of their accounts compromised, which means they are now more vulnerable to cyber attacks.

Cybercriminals now have "unprecedented access" to personal credentials and could exploit them for account takeovers, identity theft and targeted phishing attacks, the report by CyberNews wrote.

“This is not just a leak – it’s a blueprint for mass exploitation," researchers said in their report.

"With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing.

"What’s especially concerning is the structure and recency of these datasets – these aren’t just old breaches being recycled.

"This is fresh, weaponisable intelligence at scale."

Urgent Action

Within the widescale data breach, Cybernews noted that its researchers identified a database of 184million records that were previously uncovered by security researcher, Jeremiah Fowler, in May.

A sample of 10,000 stolen accounts showed 220 email addresses with .gov domains, linking them to dozens of countries such as the UK, US, Australia, Canada, China, India, Israel and Saudi Arabia, according to Fowler.

In total, Fowler discovered 47 gigabytes of data with sensitive information for accounts across various social media, gaming and streaming sites.

"The inclusion of both old and recent infostealer logs – often with tokens, cookies, and metadata – makes this data particularly dangerous for organizations lacking multi-factor authentication or credential hygiene practices," the team said.

It is unclear who owns the leaked data.

While it could be security researchers that compile data to monitor leaks, CyberNews warned that it is "virtually guaranteed" that some of the logins were owned by cybercriminals.

According to CyberNews researcher Aras Nazarovas, web users should change their passwords and enable two-factor authentication (2FA) on all their accounts.

"Some of the exposed datasets included information such as cookies and session tokens, which makes the mitigation of such exposure more difficult," he said.

"These cookies can often be used to bypass 2FA methods, and not all services reset these cookies after changing the account password.

"Best bet in this case is to change your passwords, enable 2FA, if it is not yet enabled, closely monitor your accounts, and contact customer support if suspicious activity is detected."

Cookies and session tokens give crooks the ability to use your account as if they were already logged in.

That's because they're skipping the log-in stage, tricking apps and websites into thinking they'd logged in already with an active session.

That is why experts are warning users to change their passwords and monitor their accounts, as this can lock out crooks trying to use this trick.

Key to Entry

Niall McConachie, UK director of web security firm Yubico, said the data breach shows "passwords are just not good enough" anymore.

Instead, people should use passkeys - a passwordless login method which is supposed to be more secure.

Facebook just recently adopted passkeys as a safer alternative to passwords, but companies like Google and Apple have had them for a while.

"By continuing to rely on passwords, huge data breaches like this will persist – and they’ll only get worse," added McConachie.

"Device-bound passkey options… manage logins across all users’ platforms and devices and offer the highest level of security.

"They are resistant to phishing attempts and can't be intercepted or stolen by remote attackers, meaning only the key holder can gain access to their accounts."