16 Billion Passwords Leaked? Sounds Fishy. Let's Break Down the Hype.
If you've ever logged in anywhere, chances are your credentials were just exposed in what was labeled the biggest data breach in history. Numerous media reports stated that more than 16 billion passwords were leaked, two for every person alive. However, while the sheer amount is mind-boggling, the real story behind it is far more complicated and perhaps less newsworthy than it may appear.
What Actually Happened
In early 2025, a team of researchers from Cybernews, led by security expert Bob Diachenko, accidentally stumbled upon an enormous trove of exposed data. Packaged into 30 different datasets based on different characteristics, the credentials had been left online accidentally thanks to unsecured Elasticsearch databases. Elasticsearch is a search and analytics engine built on Apache designed to handle huge volumes of JSON-formatted data, making it incredibly easy to index and search.
After looking through it, the team determined that across 30 different indices (or datasets), more than 16 billion passwords had been leaked. However, here's the critical problem: the numbers were very misleading. It wasn't exactly record-breaking to start with, as the indices were mostly unrelated dumps of different things, and not a single uniform breach from a platform.
Why The Numbers Don't Add Up
Nor were the leaks all login credentials or password-based, as samples of the indices were compared to known logs. For example, the index people_stable_v3, which contained 3.8 billion records, did not have a match for previously known logs. However, a prior index, known as people_stable, had been wiped by wiperware before but was recorded. People's stable information likely came from Russian websites and had no passwords or credentials; instead, it included DOBs, phone numbers, emails, and social security numbers.
Furthermore, much of this information isn't exactly new - the exposed credentials had likely been available on the dark web for many months before being packaged into data sets. A notable example of this is the NPD indices, data 1 and 2, which contained a combined 750 million credentials from a 2024 breach of the National Public Data (NPD).
How to Protect Yourself
Even if the number was overblown, that doesn't mean the data was harmless, and you might still be affected. What you should immediately do if there is even a slight chance you might've been included in the breach is to change your passwords. A common way people identify if they have been part of a breach is Have I Been Pwned, which checks your data against known breaches.
The best passwords are generally longer, contain uppercase and lowercase letters, numbers, and symbols, and do not contain strings of words or dictionary words. Similarly, should you not avoid reusing a password? Instead, please keep them in a password manager so you can easily access them, and they are more secure. However, keep in mind that even then, passwords are still prone to being breached, so consider using alternative methods as well. Two-factor authentication uses a second factor to authenticate the user, such as Microsoft's Authenticator, which generates one-time codes that expire, making it even more secure.
