You may have heard about the “Mother of All Breaches” earlier this year, with 26 billion exposed records. But now, security researchers have quietly uncovered another massive data breach that includes over 16 billion login credentials. What is shocking is that most people have not even heard about it.

This massive collection includes data from dozens of separate leaks, mostly compiled from infostealer malware. These are malicious programs that silently grab login info, cookies, and tokens from infected devices.

Researchers at Cybernews discovered 30 datasets floating around online. Each dataset contains anywhere from tens of millions to over 3.5 billion records. These datasets include credentials for everything: social media, email accounts, VPNs, developer tools, cloud services, and even government portals.

Unlike older breach dumps, this one contains a dangerous mix of fresh and structured data, likely stolen directly from infected devices using infostealers. Some data was briefly left exposed online in unsecured cloud storage, while the source behind most of it remains unknown.

Most of these leaked records follow a simple structure: website URL, username/email, and password. That’s exactly how modern infostealers work. Some logs even include session cookies, tokens, and browser metadata, which makes it easy for attackers to bypass logins and security checks.

Also read: North Korean Hackers Targeting Indian Crypto Job Seekers

How Serious Is This?

Cyber criminals can use this data to perform phishing attacks, identity theft, and ransomware campaigns effectively. Even if a user is not directly impacted, this kind of dataset can still help cybercriminals guess passwords, perform credential stuffing, and take over accounts.

It is unclear how many unique users are affected because these datasets likely have overlapping entries. Even with a rare possibility, it should impact millions of users.

Who Is Behind It?

It is also a mystery who is behind this dataset. Some of the dataset names hint at locations or platforms. But there’s no clear information.

What You Can Do

Unfortunately, users cannot do much to remove their info once it is leaked. I advise all users to always use strong and unique passwords for each account. If you find it hard to remember strong passwords, start using a password manager. Enable two-factor authentication (2FA) wherever possible and check your system for malware.

Massive leaks like this are becoming common. Now with 16 billion records exposed, this breach shows how silently dangerous info-stealing malware has become. Most of this data was never meant to be public, and now it’s potentially in the hands of the wrong people.

Also read: Billions of Chinese Records Leaked Online