16 Billion Credentials Leaked: Check Your Dark Web Exposure Before Attackers Do

The 16 billion credentials leak is a compilation of 30 separate underground datasets totaling approximately 16 billion stolen login records, first identified by Cybernews researchers in June 2025. Each dataset averaged over 500 million records, with the largest single database containing 3.5 billion credentials.

This is not a single breach of one company's database. Cybernews researchers found that the data originates from three sources: infostealer malware logs collected over multiple years, credential stuffing compilations previously circulated on hacking forums, and repackaged credentials from historical breaches. The aggregation of all three sources into one searchable compilation represents a qualitative upgrade in attacker capability. Instead of running separate campaigns against fragmented data, adversaries can query one source for any combination of target email, platform, and password.

The 30 databases cover virtually every major online platform: Apple, Google, Facebook, Microsoft, GitHub, and government portals are all confirmed as represented in the dataset. An enterprise and government subset of 184 million records focuses specifically on corporate systems, internal portals, VPN credentials, and developer platform accounts, making this directly actionable against business targets.

Through May 2026, portions of the compilation continue to circulate on underground markets. Infostealer operators feed new logs into the ecosystem daily, meaning the overall pool of available credentials expands continuously rather than representing a fixed historical dataset.

Infostealer malware is software designed to silently extract credentials, session cookies, and authentication tokens from infected devices without triggering visible symptoms. Two of the most prevalent families documented in this compilation are RedLine and Raccoon, both commercially available malware-as-a-service tools that any threat actor can license for several hundred dollars per month on underground forums.

A typical infostealer infection begins with a drive-by download, a malicious email attachment, or a trojanized software installer. Once executed, the malware queries the browser credential store, extracting saved usernames and passwords from Chrome, Firefox, and Edge in plain text. The malware also captures session cookies and authentication tokens currently stored in the browser, representing active authenticated sessions on platforms where the user has MFA enabled.

Security Boulevard documented the critical exploitation window: infostealer logs reach dark web markets within 48 hours of device infection. A corporate employee whose laptop is infected at 9:00 AM Monday may find their VPN credentials, Salesforce session token, and GitHub API key on a criminal marketplace by 9:00 AM Wednesday. Most organizations lack the detection capability to identify an infostealer infection within that window.

The 16 billion credentials leak represents years of accumulated infostealer output, aggregated into a resource that eliminates the operational overhead of running an infostealer campaign. An attacker purchases access to the compiled output and begins credential stuffing or session hijacking immediately.

For context on how similarly aggregated identity data circulates on dark web markets, see the 676 million SSN exposure via Infutor and Verisk, where records compiled without authorization became an immediately actionable attack resource.

The 16 billion credentials compilation covers every major platform category: consumer accounts (Google, Apple, Facebook), professional platforms (GitHub, LinkedIn, Microsoft 365), security infrastructure (VPN credentials, firewall management portals), developer tooling (npm, Docker Hub, AWS access keys), and government portals.

The 184 million enterprise and government-focused records represent the highest-risk subset for corporate security teams. This subset specifically targets credentials for internal business systems — credentials that are far less likely to have been reset after historical breaches because organizations often do not know which specific credentials appear in aggregated compilations.

Any organization whose employees use corporate email addresses for personal accounts on major platforms faces elevated exposure. Credential stuffing tools automatically test every email-password combination across hundreds of target sites simultaneously. A reused password that appears in the 16 billion compilation will be tested against the target organization's VPN login, cloud console, and email portal within hours of the credentials being purchased.

GitHub and cloud platform credentials carry the highest downstream impact. A single valid API key or developer token in the dataset provides access to source code repositories and production infrastructure without triggering standard authentication monitoring. Security teams reviewing Microsoft Entra ID or Google Admin sign-in logs for anomalous authentications will surface credential stuffing hits if monitoring is configured to flag logins from residential proxy IP ranges.

The central question organizations need to answer is whether these credentials are still valid.

Plain-text username and password pairs are dangerous only if the password has not been changed since the original infostealer infection. Organizations with regular password rotation policies will have neutralized a portion of their exposure. Organizations that have never forced a password reset following a known breach remain fully exposed.

Session tokens and authentication cookies represent a separate and more immediate risk category. Session tokens do not expire with a password change. They expire only when the session is explicitly revoked or the token's natural expiration time is reached. An active session token captured by an infostealer in 2025 may still be valid today if the underlying session has not been terminated. Google Workspace, Apple, Facebook, and enterprise SaaS platforms all issue session tokens that persist for weeks or months without explicit revocation.

The compilation is not a static historical artifact. Infostealer operators continued adding fresh logs to the dark web ecosystem throughout 2025 and into 2026, meaning a subset of the 16 billion records reflects infections from within the past six months. Security researchers at InfoStealers.com confirmed that "many of these credentials are likely years old, already circulating on the dark web, and no longer valid," while also noting that the active session tokens and recent infostealer logs represent immediately usable attack material.

The practical response: treat every credential match as active until proven otherwise, revoke all sessions, and rotate passwords regardless of assumed data age.

Three attack techniques dominate the exploitation of large credential compilations like the 16 billion credentials leak.

Credential stuffing is the highest-volume technique. Automated tools test every email-password combination from the compilation against target login portals, using residential proxy networks to distribute requests across millions of IP addresses. This evades rate limiting and IP-based blocking. F5 researchers documented that nearly one in three login attempts across monitored enterprise environments in 2026 use credentials sourced from known leaked compilations. The attack is fully automated: once credentials are purchased, a threat actor configures the stuffing tool, loads the target list, and waits for confirmed hits.

Session hijacking targets the session tokens and authentication cookies captured by infostealer malware alongside passwords. The attacker imports the session token into a browser, bypassing any authentication flow including MFA challenges. This technique is specifically effective against Google Workspace, Microsoft 365, Salesforce, GitHub, and cloud management consoles. Session hijacking requires no brute force because the session is already authenticated.

MFA fatigue attacks target accounts where plain-text credentials are available and MFA is configured as push notification or SMS. The attacker enters the valid username and password, triggering an MFA push notification to the account holder's device. The attacker sends repeated authentication requests until the account holder approves one out of frustration or confusion. Organizations using SMS-based or push-notification MFA remain fully vulnerable for any account whose password appears in the compilation.

For context on how credential exposure escalates into large-scale data extortion, see the ShinyHunters breach of 45 million McGraw-Hill records, where exposed PII immediately became the basis for follow-on credential and ransom attacks.

Before assigning remediation work, security teams should verify whether corporate credentials appear in the accessible portions of the compilation and confirm whether active credential stuffing campaigns are already targeting organizational infrastructure.

The four indicators below cover the exposure verification chain from device infection through to active attack confirmation.

Execute these steps in priority order. Prioritize session revocation and MFA hardening over password resets alone, because session tokens remain valid after a password change.

The 16 billion credentials leak confirms that the dark web now holds a searchable compilation of credentials for virtually every major platform your employees have ever used on a device that has been infected with infostealer malware. The risk is not hypothetical: F5 measured that nearly one in three enterprise login attempts in 2026 draw from this and similar compilations.

The defining risk is not just password exposure. It is session token exposure. Every employee who accessed Google Workspace, Salesforce, Microsoft 365, GitHub, or a corporate VPN from a device that was subsequently infected with an infostealer has potentially contributed active session tokens to this compilation. Those tokens bypass every authentication control except explicit session revocation.

Three key takeaways for immediate action: infostealer malware is the upstream source of the 16 billion credentials compilation, and endpoint detection configured to catch RedLine and Raccoon artifacts is the only control that breaks the infection-to-sale pipeline at the source. Session tokens in the compilation bypass MFA — forced session revocation across all SaaS platforms is non-negotiable for any account returning a breach match. Running Have I Been Pwned domain search on your organization's email domain is the highest-priority five-minute action available to every security team today, before any attacker using credentials from this compilation attempts their next login.