Recently, a story circulated online claiming that a “record-breaking” data breach exposed 16 billion passwords. While the number sounds alarming, cybersecurity experts clarify that this isn’t a fresh mega-hack but an extensive collection of previously leaked data combined into one massive package. Despite this, the message about password safety still stands strong.
The initial report came from Cybernews, an outlet that has reported on massive password compilations before, such as a 10 billion password leak last year and an even larger 26 billion record leak earlier. These figures can be misleading because they often represent combined collections rather than new breaches.
Security researcher Bob Diachenko explained on X that the 16 billion figure comes from multiple sources merged. So, instead of a single hack hitting 16 billion accounts at once, this is more like a “greatest hits” compilation of many minor leaks over the years. The cybersecurity group vx-underground also weighed in, noting that it’s common for threat actors to assemble such packages from previously compromised data.
This is NOT a single source. It's not about the number (scary!), but the scale and raise of infostealers infections today. What this number reflects is the size of of different infostealers logs exposed publicly since the beginning of this year alone. https://t.co/L1gPBeE2pu
— Bob Diachenko 🇺🇦 (@MayhemDayOne) June 20, 2025
Interestingly, if 16 billion accounts had been breached recently, why haven’t major companies like Apple, Google, or Facebook made announcements? They’re notably silent, while much of the discussion appears on social media and news outlets, sometimes accompanied by conspiracy theories about government involvement. The truth is probably less dramatic.
No.
It's common for Threat Actors to take collections of compromised websites and assemble them into packages. There are many packages available.
The thing CyberNews discussed was a new "pack" which contains 16,000,000,000 records. This is true, a new "package" does exist.…
— vx-underground (@vxunderground) June 19, 2025
Another source, Infostealers, claims there is no evidence of a mass infection that could explain such a large new breach, suggesting the data may include recycled or fabricated entries. Essentially, the package is repackaging old data, not a sign of a new massive hack.
If you want to check whether your accounts have been compromised recently, haveibeenpwned.com is a dependable resource. Their latest noted breach was the Ualabee breach in May 2025, involving around 450,000 records, far from billions. The most extensive collection listed is “Collection #1,” a similar compilation posted in 2019.
So, should you panic? Not exactly. But it is a reminder to avoid using the same password across multiple sites. If hackers get hold of one password from an old breach, they might try it on other accounts. I recommend using a password manager like Bitwarden or Proton Pass to keep your credentials distinct and turn on two-factor authentication where possible.
And please, don’t use easy-to-guess passwords like ‘123456’ or ‘password’; those are still top lists like NordPass’s yearly report. Believe it or not, I used to reuse passwords, too, and while I managed to keep my RuneScape account safe, I did lose an Adventure Quest login to hackers. Yikes! Don’t let that happen to you.
