Anatomy of a Breach

Anatomy of a Breach: 16 Billion Credentials Leaked — The Infostealer Aggregation That Dwarfed Collection #1

> series: anatomy_of_a_breach —— part: 203 —— event: 16_billion_credentials —— sources: infostealers + breach_compilations —— scale: 20x_collection_1<span class="cursor-blink">_</span>_

Hedgehog Security 30 November 2025 13 min read
credential-leak 16-billion infostealer credential-stuffing aggregation series
Breach #203

16 billion credentials. Google. Apple. Facebook. GitHub. A credential buffet for every attacker on earth.

In mid-2025, researchers at Cybernews uncovered 30 exposed datasets containing more than 16 billion login credentials — including usernames and passwords for Google, Apple, Facebook, Telegram, GitHub, and government services worldwide. The datasets were not from a single breach but from a massive aggregation: credentials harvested by infostealer malware (Vidar, RedLine, Raccoon, and others) combined with data from earlier breaches, compiled and hosted openly online.

The 16 billion credential compilation dwarfed Collection #1 (773 million unique email/password combinations, 2019) by a factor of twenty. It also eclipsed the 3.2 billion compilation that circulated in 2021. The sheer volume — 16 billion credentials — effectively meant that a significant proportion of every internet user's passwords were available to attackers, enabling credential stuffing at industrial scale. The compilation was the culmination of years of infostealer malware activity — the same threat vector that powered the Snowflake campaign (2024) and now represented an existential challenge to password-based authentication.

The End of Passwords?
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

16 billion stolen credentials. Password-only authentication is finished.

MFA Is No Longer Optional — It Is Existential
With 16 billion credentials available, every password must be assumed compromised. <a href="/cyber-essentials">Cyber Essentials Danzell's</a> auto-fail criterion for absent MFA is validated by 16 billion data points. MFA is the only control that protects when passwords are known.
Infostealers: The Credential Supply Chain
The majority of the 16 billion credentials were harvested by infostealer malware installed on personal devices — creating a parallel supply chain of stolen authentication data that feeds credential stuffing, account takeover, and initial access for ransomware. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for infostealer indicators and credential exposure.
Aggregation as Weapon
No single platform was breached to create the 16 billion credential dataset — it was aggregated from thousands of sources over years. The aggregation itself is the weapon: enabling attackers to test stolen credentials against any platform at scale. <a href="https://www.socinabox.co.uk/blog/what-is-the-dark-web-business-guide">Dark web monitoring</a> through <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects when your organisation's credentials appear in these compilations.
Passkeys and FIDO2: The Path Forward
The 16 billion credential leak reinforced the case for passwordless authentication — passkeys, FIDO2 hardware tokens, and other phishing-resistant methods that cannot be harvested by infostealers. <a href="/cyber-essentials">Cyber Essentials Danzell</a> addresses phishing-resistant MFA implementation. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> evaluates authentication architecture.
Lessons

Assume every password is compromised. Enforce MFA. Adopt passkeys. Now.

The 16 billion credential compilation is the definitive evidence that password-only authentication has failed. Cyber Essentials Danzell mandates MFA. Our penetration testing validates MFA enforcement and tests for credential-stuffing resilience. SOC in a Box monitors for credential compromise and infostealer activity. And UK Cyber Defence provides incident response when credential compromise leads to account takeover.

Post-Password Security

16 billion credentials. Your passwords are compromised. MFA and passkeys are the only answer.

<a href="/cyber-essentials">Cyber Essentials</a> mandates MFA. <a href="/penetration-testing">Penetration testing</a> validates enforcement. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for credential compromise.

Commission a Security Assessment Next: 2025 Year in Review
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 May 2024

Anatomy of a Breach: The Snowflake Campaign — Ticketmaster, Santander, and AT&T All Hit Through Stolen Credentials Without MFA

Breach #185. In May-June 2024, a threat actor exploited stolen credentials to access Snowflake cloud data platform accounts belonging to approximately 165 organisations — including Ticketmaster (560 million customers), Santander (30 million), AT&T (110 million call/text records), Advance Auto Parts, and LendingTree. The compromised Snowflake accounts did not have MFA enabled. The credentials had been stolen through infostealer malware on employees' personal devices. The campaign demonstrated that cloud platform security depends entirely on customer-side authentication controls — and that MFA remains the single most important defence sixteen years into this series.

snowflake ticketmaster
15 min read
Anatomy of a Breach 31 October 2023

Anatomy of a Breach: 23andMe — When Credential Stuffing Exposed Genetic Data and Family Relationships

Breach #178. In October 2023, 23andMe — the consumer genetic testing company — disclosed that attackers had used credential-stuffing to access approximately 14,000 accounts directly, and then exploited 23andMe's 'DNA Relatives' feature to scrape the genetic ancestry data and family relationship information of approximately 6.9 million users connected to those accounts. The exposed data included ancestry reports, ethnicity estimates, birth years, geographic locations, family relationship connections, and genetic data. The breach raised fundamental questions about the security of genetic data — the most personal, permanent, and immutable data category that exists.

23andme genetic-data
14 min read
Anatomy of a Breach 30 April 2020

Anatomy of a Breach: Zoom — The Video Platform the World Adopted Overnight and Its Security Reckoning

Breach #136. In April 2020, Zoom — which had surged from 10 million daily meeting participants in December 2019 to over 300 million in April 2020 — faced a security reckoning. 'Zoombombing' (uninvited participants disrupting meetings) became widespread. Security researchers discovered that Zoom's claimed 'end-to-end encryption' was not actually end-to-end. Meeting recordings were discovered publicly accessible on the internet. And over 500,000 Zoom credentials were found for sale on the dark web, obtained through credential-stuffing attacks. The platform that became essential overnight had security practices that had not kept pace with its explosive growth.

zoom zoombombing
12 min read
All Posts Get in Touch