News spread early Fridaythat a record-breaking data breach exposed 16 billion passwords to the world,Watch Aunt's Temptation (2018) including user credentials for the likes of Facebook, Google, Apple, and tons of other places. Some commentators were quick to call it the largest password leak in history, and in terms of raw records exposed, that’s mostly, technically true. However, these records did notcome from a single breach — or even a new breach. Instead, they came from many smaller ones.
Data breaches are an unfortunate reality in the digital age, and some of the breaches can be quite large. However, not every release of stolen data is the direct result of a recent cybersecurity breach. As Mashable recently reported in our countdown of the top cybersecurity breaches of 2025, hackers will often compile information from multiple prior hacks and combine them into one massive file. This is becoming a trend in the darker corners of the internet. The end result is more of a “greatest hits” rather than a new, noteworthy hack.
Such is the case here. Per Bleeping Computer, the information contained in the 16 billion records was most likely compiled from a host of prior hacks, compiled, and then released as a single set of data. It was likely circulating for some time before being compiled, and likely came from a combination of breaches, hacks, phishing scams, and malware.
You May Also Like
This is backed up by a tweetfrom vx-underground, an educational website that specializes in malware and cybersecurity. “Someone took a bunch of existing leaks, threw it all together, and slapped a NEW stick [sic] on it.”
This Tweet is currently unavailable. It might be loading or has been removed.
However, the existence of all this data in one spot is still rather damaging, as cybercriminals now have access to all of this data in a single spot, potentially making it much easier to concoct more effective phishing scams or engage in identity theft.
The largest single-point data breach in history is still Yahoo’s 2016 breach, when hackers stole data about all three billion of the website’s users.
Mashable is live at VidCon 2025:Check out our VidCon coveragewith your favorite content creators now.
Related Stories
- Hackers leak 86 million AT&T customer records with 44 million social security numbers, report says
- Target and Walmart tariff price hikes leak online from an unlikely source
- Healthcare data breach impacts over five million Americans
Protecting yourself from password leaks
With so many records in one spot — even if some of them are legacy data that is no longer relevant — it’s still probably a good idea to take an audit of your online services to make sure you’re protected. A good place to start is Have I Been Pwned, a website dedicated to showing data breaches. Simply go there, enter your email address(es), and the site will show you which credentials have been exposed to the public.
We recommend changing those credentials immediately if you haven’t already, and using a strong password when you do so, as they are more difficult to crack. After that, you’ll want to enable multi-factor authenticationon every account you possibly can, as the added layer helps keep criminals from stealing your life if they obtain your password. That should be the bare minimum, but there are plenty of other steps you can taketo keep yourself safe online as well.
Have a story to share about a scam or security breach that impacted you? Tell us about it. Email [email protected]with the subject line "Safety Net" or use this form.Someone from Mashable will get in touch.
Topics Cybersecurity
