Security researchers have uncovered what appears as “one of the largest data breaches in history,” containing over 16 billion logins that include Apple accounts. The researchers told Cybernews that the stolen data provides cybercriminals “unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing”.

In May, Wired reported the presence of a “mysterious database” containing 184 million records. These were found to be sitting unprotected on a web server. The latest research highlights that the database might just be the tip of the iceberg.

largest data breaches

As of now, the researchers have uncovered 30 datasets, with each of them containing up to 3.5 billion records. The information, which includes social media and VPN logins as well as corporate and developer platforms, is contained in datasets that have been uncovered since the start of 2025.

Also read: Your smartwatch can be used to steal secured data- How ‘smartAttack’ works

‘Blueprint for mass exploitation’

The researchers told Cybernews that it is not just a leak, but a “blueprint for mass exploitation”. They have pointed out that a concerning aspect here is the “structure and recency of these datasets,” adding that these were not old breaches getting recycled. “This is fresh, weaponizable intelligence at scale,” they said.

The information in the leaked datasets opens gates towards several online services, such as Apple, Facebook, Google, GitHub, Telegram as well as various government services, the report said.

Researchers suggest that credential leaks at this scale can work largest data breaches as fuel for phishing campaigns, account takeovers and business email compromise (BEC) attacks.

This data was found to be neatly compiled, with different URLs, usernames and passwords indexed and presented altogether.

One of the datasets, having more than 455 million records, was named to “indicate its origins in the Russian Federation,” while another one having more than 60 million records, was named after Telegram. The report added that most of these were “temporarily accessible” via unsecured Elasticsearch or object storage instances.

FAQs

1. How to protect yourself from largest data breaches?

A highly recommended option is two-factor authentication (2FA). Here, the password is the first factor, while the second could be your authenticator app, passcode, phone call or other methods.

2. Can we reuse old passwords?

Cyber experts suggest people should avoid using old passwords again, especially for social media apps and making digital payments. Individuals should also consider deleting unused accounts.

3. What do cybercriminals do after obtaining personal credentials of people?

This provided them unprecedented access, allowing them to take over accounts for the purpose of identity theft and highly targeted phishing.