A recent analysis by researchers at CyberNews initially pointed to a massive breach, involving 16 billion records previously slipped under the radar and representing the largest of its kind so far, but it almost immediately raised eyebrows — with skeptics believing the records were nothing new, just recycled exposures from days gone by. 

Turns out the skeptics were right—though there is still a cautious tale that should be heeded, regardless of whether the records are new or not. Initially, Cybernews researcher Aras Nazarovas and security researcher Bob Diachenko said many of the credentials from GitHub, Telegram, and government services (and some say Apple, Facebook, and Google) accounts are fresh.  

“This analysis confirms what many suspected—that massive ‘breach’ numbers often represent recycled data rather than fresh compromises,” says J Stephen Kowski, field CTO at SlashNext Email Security+. “While 16 billion sounds alarming, these credentials are essentially digital fossils from 2021-2023 stealer logs that cybercriminals have been repackaging to create artificial urgency.” 

Be that as it may, “the real concern isn’t the age of this particular dataset, but how easily bad actors can weaponize even old credentials through automated attacks that test them across multiple platforms in real-time,” says Kowski. 

Indeed, the Cybernews researchers had broached this issue, noting the exposed credential constituted “a blueprint for mass exploitation. With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing.”  

Approov CEO Ted Miracco says the breach stretches beyond exposed credentials. “It’s really about unlocking automated exploitation at scale, he says. Agentic AI systems, he explains, can leverage exposed APIs and mobile app vulnerabilities to craft “the perfect attack surfaces.” 

Apply those capabilities to the billions of credentials in circulation, and “it’s not hard for autonomous agents to systematically test, breach, and escalate,” he says. “Weak or missing mobile and API protections are an open invitation for AI-driven intrusions. This is a convergence of data theft and autonomous weaponization.” 

Of course, a first good line of defense is for users to practice better cyber hygiene — including not reusing passwords. But users are often ill-matched against cybercriminals. “The gap between people’s understanding of good security practices and the capabilities of online criminals is widening rather than narrowing,” says Ulf Lindqvist, senior technical director at SRI International. Given all the recent credential leaks and the proclivity of attackers to use AI to scale and automate their activities, he says, “it should be clear that using passwords alone is no longer safe.” 

MFA is the minimum and even that isn’t effective enough since users tire of those pesky MFA requests and attackers exploit them as well. Passkeys “can be easy to use and secure when they work, but most users don’t understand how passkeys work or how to handle changes, like when you get a new device.”  

“Technology often fails to account for the imperfections and quirks that make us human, and there are few areas where this is evident as in cybersecurity, particularly when it comes to passwords and protecting our online accounts,” says Ulf Lindqvist, Senior Technical Director at SRI.  

“Several collections of login credentials reveal one of the largest data breaches in history, totaling a humongous 16 billion exposed login credentials,” they said, noting technology often fails to account for the imperfections and quirks that make us human, and there are few areas where this is evident as in cybersecurity, particularly when it comes to passwords and protecting our online accounts”, says Ulf Lindqvist, Senior Technical Director at SRI.  

The credentials from GitHub, Telegram, and government services (and some say Apple, Facebook and Google) accounts are spread across 30 databases, including the exposure of 184 million records that prompted warnings earlier this month. Much of the information in this latest find is fresh, say Cybernews researcher Aras Nazarovas and security researcher Bob Diachenko, who discovered what they are saying is a breach. 

“This is not just a leak – it’s a blueprint for mass exploitation. With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing. What’s especially concerning is the structure and recency of these datasets – these aren’t just old breaches being recycled. This is fresh, weaponizable intelligence at scale,” CyberNews quoted the researchers as saying. 

On the upside, the researchers who discovered the records don’t think it was exposed for very long.