The Truth Behind the “16 Billion Passwords” Headline

Were 16 Billion Passwords from Apple, Google, and Facebook Leaked? How to Protect Yourself

Wondering if your personal information has been exposed online due to a data breach? With so much news about data breaches these days, it’s easy to panic at each new headline. Take the latest alarming report, for example. Cybernews recently ran a headline claiming 16 billion passwords were exposed in a record-breaking data breach, supposedly affecting Facebook, Google, Apple, and “any other service imaginable.” That sounds terrifying – but reading beyond the headline paints a different picture.

The Truth Behind the “16 Billion Passwords” Headline

Despite the dramatic headline, those 16 billion passwords did not come from a single massive breach of Apple, Google, Facebook, or any one company. In reality, Cybernews was referring to a collection of 30 different leaked data sets that its researchers have been monitoring since early 2025. Combined, those datasets contain a staggering 16 billion records, but they were only briefly exposed (just long enough for researchers to spot them) and not tied to one specific incident. The data appears to be a mixture of old and new leaks, including info stolen by malware (so-called infostealers), credential stuffing lists, and repackaged dumps of previously leaked credentials.

Because these leaks come from multiple sources, duplicate records are likely, meaning that “16 billion” figure is probably inflated by overlaps in the data. Furthermore, contrary to some clickbait coverage, there was no centralised breach of Facebook, Google, or Apple’s own systems in this incident. Some login credentials for those services may exist in the leaked troves (as people often reuse passwords), but those tech giants themselves weren’t directly hacked as part of this leak. As cybersecurity researcher Bob Diachenko, a contributor to the Cybernews report, clarified: Facebook, Google, and Apple were not hit by a new breach here – their users’ credentials might simply be included in these aggregated stolen login collections.

In short, the “16 billion passwords” leak is real, but it’s not a single event and not an indication that the major tech firms were breached. It is, however, a stark reminder of the sheer volume of stolen login data circulating on the web due to many separate incidents over time.

Data Breaches Are Widespread and Costly

Alarmist headlines aside, data breaches themselves are unfortunately very common – and they can impact anyone. Breaches strike every industry, sector, and country, affecting individuals, small businesses, non-profits, and Fortune 500 companies alike. According to IBM’s latest estimates, the average cost of a data breach in 2024 was about $4.9 million, a 10% increase from the previous year. That figure accounts for companies’ expenses, but for everyday people the effects of a breach can be much more personal than dollars and cents.

If you’re an individual victim of a breach, you could face targeted phishing or social engineering attacks using your leaked details, potential identity theft, or fraud affecting your financial accounts and credit. Many people experience stress, anxiety, or fear wondering how their leaked data might be misused in the future. Unfortunately, organisations don’t always inform customers promptly (or at all) when a breach happens, and it’s often on you to remain vigilant.

So, think you may have been involved in a data breach? In the next sections, we’ll show you how to find out if and when your data was exposed, and list the steps you should take next to secure your accounts.

How to Check if You’ve Been Involved in a Data Breach (and What to Do Next)

  1. Check for Notifications from Companies. If a service provider or website you use suffered a known breach, they will often contact affected users via email or letter. Look for any official communication saying your information was compromised. Keep in mind, however, that companies may take weeks or even months to notify users – and some might not notify at all, hoping to quietly handle the issue to avoid reputation damage. That’s why it’s also important to stay alert to news reports of breaches. If you hear about a breach at an organisation you use (recent examples include incidents at MCNA Dental, Dish Network, PharMerica, and Capita), don’t wait for an email – take proactive steps as described below.
  2. Use “Have I Been Pwned” to See If Your Data Leaked. One of the quickest ways to check your breach status is the free site Have I Been Pwned (HIBP), run by security expert Troy Hunt. HIBP lets you search across billions of leaked records by entering your email address (or phone number) to see if it appears in any known data breaches. If you enter your email and get a green result saying “Good news — no pwnage found!”, then your email hasn’t shown up in the major breach datasets tracked by HIBP. But if your data has been compromised, HIBP will display a red warning like “Oh no — pwned!” and list which breaches exposed your information (for example, it might show that your email and password were found in the Adobe 2013 breach, the LinkedIn 2016 breach, etc.). Check each breached site listed – especially any that included passwords – and be prepared to change those credentials.
  3. Use a Password Manager with Breach Monitoring. Good password managers don’t just store your logins – many also include breach monitoring features. For example, services like 1Password, Dashlane, NordPass, and LastPass can periodically check if any of your saved email/password combos have turned up in known leaks (often by cross-referencing HIBP’s database or dark web sources). If your password manager flags that one of your passwords was exposed, it will prompt you to change it. Using a password manager is wise for many reasons. Firstly, it allows you to use strong, unique passwords for every account – so if one account is compromised, that password won’t work to breach your other accounts (this prevents “credential stuffing” attacks using recycled passwords). Secondly, if you do reuse passwords (as many people still do), a leaked password from Service A could let attackers into your account at Service B. A password manager makes it easy to avoid reusing creds, and its breach alerts give you a heads-up to update any identical passwords you might have reused elsewhere.
  4. Consider a Credit Monitoring or Identity Protection Service. With so much personal data floating around, credit monitoring services (such as Experian’s IdentityWorks, LifeLock, or those offered by banks) have started integrating breach notifications as well. These services can alert you if your personal identifiable information (PII) – like Social Security Number, bank account, or credit card – shows up for sale on the dark web or in a new leak. Many credit agencies offer basic monitoring for free, with premium plans for more features. Even a free plan is better than nothing; it can notify you of suspicious activity (like someone trying to open a credit line in your name). Remember, even if financial info wasn’t leaked, a trove of other personal data can still enable identity theft. If you know certain sensitive information (e.g. your credit card number or bank login) was compromised in a breach, immediately contact the provider to secure the account – you might need to freeze your card, have the bank watch for fraudulent transactions, or get a new account number issued. (If your financial accounts are affected, most banks have 24/7 fraud hotlines. Don’t hesitate to use them – and consider placing a free fraud alert or credit freeze through the credit bureaus if your SSN and identity details were exposed.)
  5. Change Your Passwords — Immediately. Regardless of the breach type, a key response is to change any compromised passwords right away. In fact, even if only an email or basic info leaked, it’s good hygiene to update your important account passwords regularly (every 3–6 months, say). If a breach exposed your login credentials for a particular site, change that password and anywhere else you reused it. Use a strong, unique new password that you haven’t used before. This is where a password manager again comes in handy – you can generate a complex random password and save it, so you don’t have to memorise it. If you’ve been using the same email/password combo across multiple sites (a very common habit), a single leak could be a master key to all those accounts. For example, imagine your username and password from a breached forum were the same ones you use for your email and social media – cybercriminals could domino into those accounts next. So, don’t reuse passwords, and whenever a breach happens, make it a catalyst to improve your credentials everywhere. A strong password generator (like the one built into NordPass, pictured) can create long, complex passwords on demand. Always update compromised passwords and avoid reusing them across sites. Password manager tools make this process easier by suggesting and remembering new secure passwords for you.
  6. Enable Two-Factor Authentication (2FA) on Your Accounts. If you aren’t using two-factor auth, now’s the time to start – especially for any accounts that were involved in a breach. 2FA (also called multi-factor authentication, MFA) means that in addition to your password, a second verification step is required to log in – typically a one-time code from an authenticator app or sent to your phone. This extra layer can thwart attackers: even if they have your password, they’d also need that second factor (like access to your phone or email) to break in. While 2FA isn’t foolproof (SMS codes can be intercepted via SIM swapping, etc.), it significantly improves security. Turn on 2FA wherever possible – most banks, email providers, social networks, and major services support it in settings.
  7. Consider Investing in a Physical Security Key. For critical accounts or “hub” accounts (like your primary email, which can reset other passwords), you might upgrade your 2FA to a physical security key. Devices such as YubiKey or Google’s Titan Security Key are USB or NFC dongles that you plug in or tap to verify your identity. They implement FIDO2/WebAuthn standards and are extremely resistant to phishing. Even if an attacker somehow steals your password, without possession of your physical key they cannot satisfy the login challenge on a new device. Some services (Google’s Advanced Protection Program, for instance) require keys for the highest security. Security keys were once pricey and niche, but prices have come down and setup is more user-friendly now. It’s wise to buy at least two keys (one as a backup to store safely, and one for daily use). This way if you lose one, you’re not locked out of your accounts. Setting up a security key usually involves adding it in the 2FA settings of the account – and afterward, whenever you log in on a new browser or device, you’ll be prompted to insert or tap your key to verify it’s really you. A YubiKey hardware security key. These keys provide one of the strongest forms of 2FA, as login approval is tied to possession of the physical device. Without the key, attackers can’t access your account – even if they know your password. Many keys support USB for computers and NFC for mobile devices.
  8. Try Passkeys for a Password-Free Future. A growing number of platforms now support passkeys – a passwordless authentication method that uses cryptographic key pairs, often tied to your device or biometrics. Passkeys essentially let you log in with something like your fingerprint, face scan, or PIN (backed by a secure cryptographic exchange behind the scenes) instead of a traditional password. They are both more secure and easier to use than passwords. Companies like Apple, Google, Microsoft, and others are pushing passkeys as the next-gen login standard, and you’ll see more websites offering “log in with a passkey” options. If your favorite services support passkeys, consider setting them up; it can spare you from remembering passwords at all, while greatly reducing the risk of phishing or credential stuffing attacks. Keep in mind, passkey adoption is still ramping up – not every site has it yet – but it’s expanding quickly. For example, Google Accounts, Microsoft Accounts, and many major apps now allow passkey logins. When you enable a passkey, your device (phone or computer) will handle the authentication via biometrics or a device PIN, and the service will trust that instead of a typed password. This means even if hackers leak a database, they get no reusable passwords. It’s worth giving passkeys a try where available for a more phishing-resistant and convenient login experience.

How Do Data Breaches Happen?

Cybercriminals have a variety of tactics to steal data from companies or individuals. Here are some of the most common ways breaches occur:

  • Stolen or Compromised Credentials: One of the top entry points for attackers is simply using valid login credentials – usernames and passwords – that they obtained somehow. Hackers might buy stolen password lists on the dark web, use login details leaked in other breaches, or run automated brute-force scripts that guess weak passwords. If a company isn’t enforcing strong, unique passwords (or additional factors), a leaked password from elsewhere can let an intruder straight into their system.
  • Magecart/Web Skimming Attacks: This is a tactic where attackers inject malicious code into legitimate websites (often payment pages) to secretly skim data. For example, British Airways and Ticketmaster were hit by Magecart attacks that planted code on their checkout pages – when customers entered credit card info, the code quietly siphoned those details off to the attackers. Everything appears normal to the user, but their card data gets stolen in transit.
  • Malicious Code Injection & Formjacking: Similar to Magecart, attackers may compromise a website and insert code to collect other personal data users type into forms (not just payment info). If you’re entering data on a compromised site, your info could be copied to the attacker in real time. This means even visiting an otherwise legitimate service can result in a breach of your data if the site was hacked.
  • Business Email Compromise (BEC) Scams: In a BEC scenario, attackers impersonate someone (often a high-ranking employee or trusted partner) via email to trick a company’s staff. For instance, an attacker might infiltrate or spoof a CEO’s email and send a request to the finance department to wire money or send sensitive files. Or they might pose as a vendor and ask a customer service rep for certain account details. By social engineering employees who have access, attackers can get data or payments. BEC attacks often don’t involve malware at all – just deception and trust exploitation.
  • Insider Threats: Not all breaches are external; sometimes employees or contractors themselves leak or steal data. An insider with a grudge or lured by a bribe might copy confidential data to sell or release. There have also been cases where malicious actors recruit employees (or plants someone on the inside) to intentionally compromise systems. Insider negligence can be a factor too – for example, an employee accidentally publishing a private database or leaving sensitive files publicly accessible.
  • Negligence and Misconfigurations: A very common cause of data exposure is poor IT configuration. Companies might leave a database server open on the internet with no password, or misconfigure cloud storage (like AWS S3 buckets) to be public. These mistakes can inadvertently expose millions of records to anyone who stumbles upon them. In other cases, outdated software with known vulnerabilities provides an easy opening for hackers if security patches haven’t been applied.
  • Phishing and Spam Attacks: On the individual level, one of the biggest risks is being tricked into giving away your credentials or personal info. Phishing emails that masquerade as legitimate services can dupe people into entering their login details on fake sites, or downloading malware. If you ever receive an unsolicited email or text asking for passwords, verification codes, or personal data, be extremely skeptical – that’s likely a phish.
  • Social Engineering & Impersonation: Attackers may also target your accounts by impersonating you. For example, with enough personal info gathered from leaks, a bad actor could call your mobile provider and convince a support rep that they are you, claiming to have lost their SIM card, and get your number reassigned – this is a SIM swap attack, often used to bypass SMS 2FA and take over banking or cryptocurrency accounts. Social engineers exploit human weaknesses in customer service processes to breach accounts that way.

In summary, breaches happen through a mix of technical exploits and human trickery. This is why practicing good security habits (unique passwords, 2FA, skepticism of unsolicited requests, keeping systems updated, etc.) is so important – it reduces the chances that any single failure can lead to a full compromise.

How Do Data Breaches Impact You?

If your data has been caught up in a breach, the impact can range from merely annoying to truly devastating. Here are some potential consequences for individuals:

  • Account Takeovers: If login credentials (username/password) are leaked, criminals may attempt to log in to those accounts. If it’s an email account, they could gain access to your communications and reset passwords on other services. If it’s a social media account, they might impersonate you or scam your friends. Bank or payment accounts could be drained or used fraudulently. Attackers often use leaked credentials to take over accounts and then do further damage or theft from within.
  • Identity Theft: Breaches that expose personally identifiable information (PII) (like your name, address, date of birth, Social Security number, driver’s license, passport scans, etc.) put you at risk of identity theft. With enough of your personal details, a criminal can pretend to be you and, for instance, open credit cards or loans in your name, claim tax refunds as you, or even provide your identity if they’re arrested for a crime (leaving you with the mess). Identity theft can wreck your credit score and take years to fully untangle.
  • Financial Fraud: Obviously, if your credit card numbers or bank account numbers are breached, that financial info can be used for fraud – unauthorised charges, purchases, or transfers. Even if only partial info leaks (like just an email and password), clever attackers might use phishing or social engineering to get the remaining pieces needed to access your finances. Always keep a close eye on bank statements and set up notifications for transactions, especially after any breach incident.
  • Phishing and Targeted Scams: When criminals have some of your data (email, phone, where you have accounts, etc.), they can craft highly targeted phishing attacks. For example, after a breach of a retail site, scammers might email you posing as that retailer, referencing your recent order or personal details to gain your trust, then trick you into clicking malicious links or giving up more info. Expect an uptick in spam, scam calls, or phishing texts if your contact info leaks.
  • Reputational or Emotional Damage: Some breaches expose sensitive personal content – for instance, the infamous Ashley Madison breach in 2015 released lists of users of an adultery website. In such cases, criminals may resort to blackmail, threatening to reveal your private activities unless you pay them. Even without active blackmail, knowing that private data (like medical records or intimate photos from a leak) is out there can cause serious emotional distress.
  • Service Disruptions: If an attacker gets into one of your primary accounts, they might change your login, lock you out, or even delete your data. For example, a breached email could be used to reset all your other accounts’ passwords and effectively steal your digital life until you regain control. It’s a painful process to recover accounts and convince providers you are the real owner if someone malicious has already altered them.
  • Credit Score and Legal Headaches: Identity-related breaches can leave lasting issues. Loans opened by fraudsters in your name and left unpaid will hurt your credit. You might start getting collection notices for debts you never incurred. It can take significant time and documentation to clear your name. In worst cases, victims have been wrongly linked to crimes or debts due to identity misuse and have to fight to correct records.

In essence, once your data is loose “in the wild,” criminals can mix and match those details for all sorts of schemes. The more data about you that’s exposed, the more convincingly they can impersonate or target you. That’s why quickly taking mitigation steps (like those we outlined) is crucial to limit damage after a breach.

What Happens When an Attacker Breaches a Network?

Let’s say a hacker has successfully broken into a company’s systems – what do they typically do next? Understanding this can highlight why breaches are so serious:

  • Reconnaissance: Once inside, attackers often snoop around quietly at first. They’ll map out the network, identify where valuable data or systems are, and possibly obtain higher access privileges (through privilege escalation attacks). Think of it as a burglar finding the location of the vault inside a bank after slipping in.
  • Data Exfiltration: In many breaches, the primary goal is to steal sensitive data – customer databases, intellectual property, emails, etc. Attackers will locate these data troves and start siphoning them out, often in encrypted form to avoid detection. Some sophisticated hackers maintain stealth and exfiltrate gradually over weeks or months so as not to set off alarms.
  • Ransomware Deployment: A common modern breach outcome is ransomware. After accessing the network, attackers may deploy ransomware that encrypts the organisation’s files, essentially holding the data hostage. The attackers demand a ransom payment (often in cryptocurrency) for the decryption key. Recently, many gangs use a double-extortion tactic: they steal a copy of the data first, then encrypt it. If the victim doesn’t pay to decrypt, they additionally threaten to leak the stolen data publicly, putting more pressure on the victim to pay.
  • Maintaining Persistence: Attackers may create backdoor accounts, install malware, or leave other persistence mechanisms so they can return later. This means even if one avenue is discovered and closed, they might still have another way in unless thoroughly eradicated.
  • Sale of Access: Sometimes, one hacker group will compromise a network not to exploit it themselves but to sell that access on underground forums. There’s a whole criminal market where one person might say, “I have an active admin login to Company X’s servers for sale.” Others then buy that access to carry out their own attacks (like ransomware or espionage). It’s akin to a thief selling keys to a house rather than burglarising it themselves.
  • Disruption and Destruction: In some cases – particularly if the motive is political, retaliatory, or just malicious – the attackers might aim to disrupt operations or destroy data. This could involve wiping servers, corrupting backups, or simply causing downtime (as seen in some nation-state attacks or hacktivist incidents). Even if no data is stolen, the damage from an operational outage or data destruction can be enormous.
  • Covering Tracks: After achieving their goals, smart attackers will try to erase logs or evidence of their presence. They might delete system logs, remove the malware they used, or in the case of data theft, make it hard to trace what was taken. This complicates incident response for the victim organisation.

The bottom line is that once attackers have internal access, they have many options – none of them good for the victim. For individuals, this reinforces that when a company you deal with says they had a breach, you should assume the worst (that your data was taken) and act accordingly, because it’s often hard to know exactly what an intruder did.

What Is the Dark Web?

You’ve seen us mention the “dark web” a few times. The internet is often described in layers:

  • The Clear Web: This is the regular internet most people use daily – all the websites accessible via common browsers (Chrome, Safari, Firefox, etc.) and indexed by search engines like Google. If you can find it in a Google search and visit without special software, it’s the clear (or “surface”) web. This only constitutes a small fraction of the entire internet.
  • The Deep Web: The deep web refers to any online content that isn’t indexed by search engines and isn’t readily accessible via standard browsing. This includes things like private databases, internal company sites, webmail accounts, online banking pages – in general, content you need a specific login or URL for, rather than public pages. The deep web itself isn’t nefarious; it’s just “below the surface” – for example, your personal email inbox on Gmail is part of the deep web because it’s not publicly indexed.
  • The Dark Web: The dark web is a subsection of the deep web that is intentionally hidden and requires special software or configurations to access. The dark web often uses encryption and anonymiing networks (like Tor, The Onion Router) to hide users’ identities and locations. Web addresses on the dark web aren’t typical .com or .org URLs; they might be random strings ending in .onion (for Tor hidden services). The dark web has legitimate uses – for instance, it provides a way for people under oppressive regimes to bypass censorship and communicate safely. However, it’s also infamous for criminal activity. Marketplaces on the dark web sell things like stolen data, illegal drugs, weapons, fake IDs, and hacking tools. When your data is stolen in a breach, often the first place it ends up is on dark web forums or markets, being sold to the highest bidder.

In practice, when companies offer “dark web monitoring,” they mean they’re checking these hidden sites and forums to see if your personal info (emails, passwords, SSNs, etc.) is being circulated by criminals. The average person never needs to visit the dark web – but it’s useful to understand that a huge leak of credentials will likely be traded on the dark web, enabling further crime.

In today’s reality, data (even very sensitive data) is collected in vast quantities by companies – and not all of them protect it well. When a breach happens, typically the onus falls on individuals to deal with the fallout. Organisations might offer impacted users a token gesture like a year of free credit monitoring, but the hassle and potential harm – from monitoring your accounts, to repairing identity theft damage – is largely yours to manage.

The good news is that knowing you’ve been involved in a breach is half the battle. Armed with that knowledge, you can take the protective steps we outlined: change your passwords (and use a manager), enable 2FA, keep an eye on your financial statements, freeze credit if necessary, and be wary of suspicious messages. By maintaining strong personal cybersecurity hygiene and staying alert, you can significantly mitigate the damage that these all-too-frequent data breaches might cause. Stay safe out there – and remember, proactive protection beats panic every time.

How NSI Global can help you?

NSI Global’s Cyber Posture Consulting service helps organisations assess and elevate their overall security maturity by aligning people, processes, and technology with risk and business objectives. Contact us today for a consultation.

Secure your peace of mind