In June 2025, Bob Diachenko and his team at Cybernews made a big claim about a massive data breach discovery. They said they had found 16 billion exposed passwords sitting in 30 different databases.
The passwords exposed are login credentials that people used for Google, Facebook, Apple, GitHub, Telegram, banks, and shopping sites. These companies weren’t breached themselves, but criminals had collected user passwords for these services through malware on people’s devices.
Think about what this means. Someone could be reading your emails right now. They would know where you bank, what you buy, and your mortgage balance. Since they control your email, they could reset the password for any other account you have.
How Criminals Breach Personal Data
This wasn’t any normal corporate leak. Cyber criminals have figured out an easier way to get your data. Why fight corporate security when you can steal passwords directly from people’s computers? Security researchers have documented this shift happening since January 2025.
It’s so simple as well, someone clicks on a bad email link or downloads what looks like a normal app. The malware then installs hidden software on their device. It then collects every password saved in your browser and sends that information back to the criminals.
According to reports, these password-stealing programs don’t cost much and work on any device. Windows, Mac, Android. You also don’t need technical skills to use them.
What This Would Mean for You
With 16 billion passwords from this massive data breach, hackers could target almost everyone on every major online platform. Most people use the same password for multiple sites, so if criminals steal a password from one place, it can unlock several of your other accounts.
Email accounts become especially valuable targets because they receive password reset links for banks, shopping sites, and your work accounts. Once criminals control someone’s email, they can access everything else.
Cyber criminals know this and specifically hunt down these big collections. With your details in hand, they create convincing phishing messages that mention your actual bank or recent purchases, making their scams strike harder and slip past defenses more easily.
But Something Didn’t Add Up
Major news outlets have picked up on the report, with many warning people to change their passwords as soon as possible. It looked like a cybersecurity disaster, but online security professionals started pushing back on social media. They pointed out details that the initial coverage had missed. Bob Diachenko himself had to clarify that Apple, Google, and Facebook hadn’t been hacked.
“There was no centralized data breach at any of these companies,” he posted on X. Instead, criminals had collected passwords that people used for these services by stealing them from individual devices with malware.
This explanation helped show why experts were skeptical. Some experts suspected criminals had simply repackaged old data collections, though the researchers insisted the data was fresh. The debate showed how difficult it can be to verify these massive claims.
Read More: Apple’s $95M Siri Settlement: File Your Claim Before It’s Too Late
Security Experts Push Back
The skepticism does make sense when you look at Cybernews’ history. This wasn’t their first major finding. They had found 10 billion passwords in 2024 and 26 billion records before that in what they called the “Mother of All Breaches.”
To verify these claims, experts checked HaveIBeenPwned, a website that tracks data breaches. It showed no major new incidents in recent months that came close to 16 billion records. The most recent entry was a breach from a South American platform in May 2025. But nothing approaching this scale.
Even the largest breach ever recorded by HaveIBeenPwned was called ‘Collection Number 1’ from 2019. That contained 773 million unique email addresses and was also a compilation from multiple sources rather than a single corporate breach.
What This Means for You
Whether this was freshly stolen passwords or a collection of old data doesn’t change the basic facts. Criminals buy and sell stolen login information, and they could target your accounts next.
The methods Cybernews described in the reports are real. Criminals sell password-stealing software cheaply, and criminals operate websites that buy and sell stolen data every day. These aren’t made-up threats.
You can, however, protect yourself with simple steps: Use different passwords for important accounts like email and banking. Turn on extra security features when websites offer them. Consider using a password manager to create and remember your strong passwords.
Don’t let questions about this specific report stop you from taking action. You can check if your email has appeared in known breaches by searching it on HaveIBeenPwned. The ways criminals steal passwords are known and proven, regardless of how big any particular discovery was.
Taking Reasonable Action
Use a password manager like Bitwarden or Proton Pass, which costs about as much as a streaming service, which will stop you from reusing passwords across multiple sites. When websites offer extra security steps, turn them on, and avoid obvious passwords like ‘123456’ or ‘password.’ Some services are also starting to offer passkeys, a newer technology that could eventually replace passwords entirely.
Just as important is being careful with what you download and click, since people install malware when they click suspicious links or download apps from untrusted sources.
You can also find out if your accounts have been leaked before by checking websites like HaveIBeenPwned, which let you search your email address to see if it appears in known data breaches. If it does, change those passwords immediately.
Read More: You Can (and Should) Delete Yourself From The Internet. Here’s How.