News spread early Friday that a record-breaking data breach exposed 16 billion passwords to the world, including user credentials for the likes of Facebook, Google, Apple, and tons of other places. Some commentators were quick to call it the largest password leak in history, and in terms of raw records exposed, that’s mostly, technically true. However, these records did not come from a single breach — or even a new breach. Instead, they came from many smaller ones.
Data breaches are an unfortunate reality in the digital age, and some of the breaches can be quite large. However, not every release of stolen data is the direct result of a recent cybersecurity breach. As Mashable recently reported in our countdown of the top cybersecurity breaches of 2025, hackers will often compile information from multiple prior hacks and combine them into one massive file. This is becoming a trend in the darker corners of the internet. The end result is more of a “greatest hits” rather than a new, noteworthy hack.
Such is the case here. Per Bleeping Computer, the information contained in the 16 billion records was most likely compiled from a host of prior hacks, compiled, and then released as a single set of data. It was likely circulating for some time before being compiled, and likely came from a combination of breaches, hacks, phishing scams, and malware.
This is backed up by a tweet from vx-underground, an educational website that specializes in malware and cybersecurity. “Someone took a bunch of existing leaks, threw it all together, and slapped a NEW stick [sic] on it.”
This Tweet is currently unavailable. It might be loading or has been removed.
However, the existence of all this data in one spot is still rather damaging, as cybercriminals now have access to all of this data in a single spot, potentially making it much easier to concoct more effective phishing scams or engage in identity theft.
The largest single-point data breach in history is still Yahoo’s 2016 breach, when hackers stole data about all three billion of the website’s users.
Protecting yourself from password leaks
With so many records in one spot — even if some of them are legacy data that is no longer relevant — it’s still probably a good idea to take an audit of your online services to make sure you’re protected. A good place to start is Have I Been Pwned, a website dedicated to showing data breaches. Simply go there, enter your email address(es), and the site will show you which credentials have been exposed to the public.
We recommend changing those credentials immediately if you haven’t already, and using a strong password when you do so, as they are more difficult to crack. After that, you’ll want to enable multi-factor authentication on every account you possibly can, as the added layer helps keep criminals from stealing your life if they obtain your password. That should be the bare minimum, but there are plenty of other steps you can take to keep yourself safe online as well.
Have a story to share about a scam or security breach that impacted you? Tell us about it. Email submissions@mashable.com with the subject line "Safety Net" or use this form. Someone from Mashable will get in touch.
