Haveibeenpwned?
16 billion credentials, and I had just rotated my passwords…again
Last week my work and personal life collided after a security researcher uncovered what's now being called the largest credential exposure in history: over 16 billion usernames and passwords floating in a searchable, indexed collection online. With untold numbers of AppleIDs and gmail passwords leaked, I immediately took action and reached out to my friends, family, even my future in-laws. "Hey, don't freak out, but maybe change your passwords."
While it felt great to be useful to people I care about, this news is concerning. This wasn't a traditional breach where a single company got compromised. Instead, it's more like digital archaeology: layers of old breaches, stolen cookies, and malware logs, all stacked into a monument of exposure.
Why should we care? Well last week’s revelation was a little different…it's all stitched together, validated, and made searchable by email, password, and domain.
Flashback: Where Did 16 Billion Credentials Come From?
Let's set the stage. This dump didn't appear out of thin air. It's a toxic mix of old data breaches, credential stuffing databases, and infostealer malware logs harvested over the last decade.
Remember these?
LinkedIn (2012): 117M emails and passwords
Dropbox (2016): 68M credentials
RockYou2021: A now-infamous text file with 8.4 billion entries
Collection #1-#5: Early mega-dumps of exposed user data
Infostealer logs from malware like RedLine, Raccoon, Vidar
That last one is the kicker. Cybernews estimates that over 85% of the data in this new trove came from infostealers, which are modern malware designed to lift saved credentials, browser cookies, autofill data, and even tokens used to bypass MFA. It's not just recycled breach data, this data has been validated, enriched, and it’s recent.
What Is an Infostealer, Anyway?
If ransomware is the final stage of exploitation, infostealers are the quiet scouts. They get onto your machine through a fake PDF, a sketchy game mod, or a bad browser extension. Infostealers typically steal your saved browser passwords, dump your cookies and session tokens, grab your autofill data and saved cards and capture chat and collaboration tokens (Slack, Telegram, Discord)
Then they zip it all up and send it off to a server, where it gets sold or reused. If you're lucky, it's just resold on a forum. If you're not, that session cookie gets used to log into your payroll system or your AWS console.
And with dirt-cheap pricing (sometimes as low as $50 per campaign), infostealers are now the backbone of initial access for many ransomware gangs and fraud rings.
Why This Dump Matters Now
We've seen big leaks before. What makes this one different? This dump is:
Massive: 16 billion records isn't just a headline. It's the sheer scale of reusability. Odds are either you, your coworkers, or your parents are.
Mapped and Searchable: Attackers (and researchers) can now look up password reuse across services, see if MFA tokens are active, and track behaviors across domains.
Rich with Metadata: This isn't just email:password pairs. This includes IPs, geolocation, timestamps, and system info, giving threat actors intel to prioritize their targets.
…and it’s Blurring Work and Personal Lines: Thanks to remote work and federated identity, your Slack session token might sit next to your Fortnite login. One stealer equals two breaches.
It's a chilling reminder that modern breaches don't begin at the firewall, they start in the browser. In a world where we work from home and share credentials across applications and devices, we must be vigilant.
So What Did I Actually Do?
First, I reset my passwords. Gmail. Apple ID. GitHub. Slack. Anything tied to my core identity. Then I texted my family, friends and my future in-laws, because this breach isn't just about work risk. It's about human risk.
If someone logs into your old Gmail, they can hit password resets for your bank, crypto, medical portal, and more. If they get your Dropbox, maybe they find your taxes. If they get your browser cookies, they're already logged in. We've built a digital identity system held together by hope and plaintext passwords and regrettably hope doesn't scale.
What Can You Actually Do?
We've all seen the "change your password" tips. But when you're staring down 16 billion compromised credentials, the usual advice feels pretty hollow. I get it, it’s an arbitrarily huge number that, in the wake of near daily breach headlines, we’ve all become a little desensitized to.
The thing is, most people approach password security backwards. They start with the easy stuff and work their way up. But if someone just bought your credentials for fifty bucks, they're not going to mess around with your Netflix account first. They're going straight for your email, because that's the skeleton key to everything else. From there, they can reset passwords for your bank, your crypto wallet, your work accounts, everything.
So if you're going to do this, start with the hardest, best option. Your primary email needs a new password today, not next week. Same with your Apple ID or Google account, because those are tied to everything. If you use SSO, that's next on the list. Then anything connected to money or sensitive documents.
But here's where people usually stop, and that's the problem. You can change passwords all day, but if you're still using the same three variations across different sites, you're just playing whack-a-mole with hackers. I’d suggest that it’s time to get a password manager such as Bitwarden or 1Password. The point isn't the brand, it's that you stop being the weakest link in your own security chain.
If you really want to go the extra (albeit more secure) turn on hardware-based MFA wherever you can. Those YubiKeys aren't just for paranoid security professionals anymore. Then go through your Google, Facebook, and Slack accounts and log out those old sessions from devices you haven't used in months.
I realize that none of this is groundbreaking advice. But sometimes it takes 16 billion leaked passwords to make you realize that convenience isn't worth the risk anymore.
For those of you who want an easy button (and a great resource), I’d also recommend checking out: haveibeenpwned.com.
The Big Picture
This leak isn't really a surprise, rather the consequence of a decade of credential-based security debt spread across consumers, enterprises, and the platforms themselves. We’ve made passwords the currency of digital life and now we're seeing inflation. In our new reality attackers aren't breaking into systems anymore, they're logging in.
This breach, or more accurately, this aggregate exposure, is a mirror. It shows us how much we've offloaded identity to convenience. It reminds us that security posture isn't a checkbox; it's a mindset, and a call to action.
We don't need to panic, but for better or worse we all need to take accountability. Credential security is everyone's job now, from detection engineers to grandparents. Because the attackers aren't just aiming for your domain admin. They're aiming for your Netflix, your Slack, and everything in between.
Alright so what’s the good news? There is a solution! Following what’s been set out in this blog (and listening to your security-minded friends, peers and security team at work) will put you in a much better place.
Stay secure and stay curious, my friends.
Damien
Also a good reason to explore using a hardware key for your most important accounts. And setting up 2FA, using an authenticator app or hardware key for the verification (not SMS).
Totally! This makes you wonder how many of our "secure" accounts are only one old cookie or reused password away from compromise. Time to rethink what "secure" really means.