A staggering 16 billion passwords and login credentials have reportedly been exposed in what security experts describe as the largest data breach on record.
Researchers warn 16 billion Google passwords leaked
The leak includes access to a wide array of online platforms, such as Google, Facebook, Apple, and even government services.
The leak, reported by Cybernews journalist Vilius Petkauskas, is said to have originated from various sources compiled into 30 different databases.
These databases contain anywhere from tens of millions to over 3.5 billion records each. Collectively, they represent fresh, previously unreported data, with only one database of 184 million entries having been seen before.
Security researchers believe the breach is the result of multiple “infostealers” — a term used to describe malicious software designed to extract information from users’ devices.
These tools often collect login details saved in browsers or apps and send them to cybercriminals.
According to Cybernews, the leaked records typically follow a simple pattern: a web address (or URL), followed by a username or email, and a password. This structure makes it easy for attackers to use the data to try accessing those accounts. In cybersecurity terms, this increases the risk of phishing attacks — where fake messages or emails trick people into giving up their personal data — and “account takeover,” where hackers log into someone else’s account without permission.
“This is not just a leak — it’s a blueprint for mass exploitation,” the researchers said.
“These aren’t just old breaches being recycled — this is fresh, weaponizable intelligence at scale.”
Despite the alarming size of the leak and the specific mention of Google among affected services, Google has not yet responded to or confirmed the breach. Instead, its usual customer service response advises users to provide their full service address and account information via direct message to check for potential disruptions.
Cybersecurity experts stress that people should immediately update their passwords, use two-factor authentication, and avoid using the same password across multiple websites.
Using a password manager, which helps generate and store strong passwords, is also strongly recommended.
At the time of writing, the breach is still being analysed, but the size and scope suggest that almost no online user may be unaffected.
Until companies like Google officially comment or offer guidance, users are being urged to assume the worst and take steps to secure their accounts.
