16 billion passwords leaked from Apple, Google, Facebook, Netflix, and PayPal services

A group of cybersecurity experts has revealed what could be the largest credential theft in history. According to Cybernews, reported by Forbes, more than 30 databases have been exposed online, which together contain more than 16 billion records containing usernames, passwords , cookies, tokens, and other sensitive information linked to millions of digital accounts.

This massive breach is not limited to a specific company or platform, but rather aggregates data from multiple previous breaches, now compiled into a single, publicly accessible database without any security measures. The affected services include Apple, Google, Facebook, Amazon, Netflix, PayPal, Telegram, Microsoft, Roblox , and dozens more, including government platforms.

Of the more than 30 leaked data sets, only one—compromising 184 million records—had been publicly reported so far. According to Cybernews, "there is no definitive way to accurately calculate how many people have been affected," as there could be duplications between the different leaks. However, the site indicates that the databases with the highest volume of stolen data correspond primarily to Portuguese-speaking populations, followed by Russian-speaking ones.

The Cybernews team has not been able to specify "with certainty" who owns the dataset. "While it could be security researchers collecting data to verify and monitor leaks, it's virtually certain that some of the leaked datasets belonged to cybercriminals," it explains.

Even so, the researchers point out that this is "not just a leak, but a model for mass exploitation." "Cybercriminals now have unprecedented access to personal credentials that can be used for account takeovers, identity theft, and highly targeted phishing ," they warned. They also emphasize that this is not just old credentials, but rather "new intelligence that can be weaponized on a large scale." They therefore warn that this data can be used as a tool to carry out cyberattacks against victims.

Given this situation, and despite the fact that most of the data implicates the Portuguese and Russian populations, the best recommendation is to change the passwords for these sites. It is recommended that this be a unique password per domain, never used before on another account.

To create a secure password, it's best to combine upper and lowercase letters, numbers, and symbols, avoiding common words or personal details like birth dates or names. The longer and more complex the password, the harder it will be to crack: it's recommended to have at least 12 characters . Enabling two-step verification whenever possible adds an extra layer of protection. In any case, no password is foolproof, so it's best to change and update your credentials periodically to ensure they're not part of a data breach.