16 Billion Password Data Leaked: These Are the Targeted Applications

Jakarta - The world of cyber security has been rocked by the discovery of an unprecedented data leak. More than 16 billion login credentials have been reported circulating, making it one of the largest incidents in history.

This report was first revealed by Cybernews and Forbes, which immediately classified it as a global cyber emergency. Experts emphasise that the circulating data is not merely a recycling of old cases, but a systematic collection of new data obtained through infostealer malware attacks.

This type of malware works by infiltrating devices without users’ knowledge, stealing login information such as usernames and passwords, and then sending it to servers controlled by the perpetrators. In this case, the leak originates from at least 30 different databases, each containing tens of millions to billions of entries.

The leaked data is neatly structured, listing digital service addresses followed by usernames and passwords. This structure makes the data highly exploitable by cybercriminals for further hacking.

Popular services such as Apple, Google, Facebook, Telegram, GitHub, and even government platforms are said to be on the list of potential targets.

In response to this leak, Google is urging its billions of users to immediately switch from passwords to more secure login methods like passkeys. The FBI has also issued warnings about suspicious SMS links suspected to be related to a large-scale phishing campaign.

Experts assess this leak as highly dangerous because it provides access to anyone, even low-level hackers, to enter digital systems simply by purchasing stolen data on the dark web.

Unlike incidents that only impact specific companies, this leak opens vulnerabilities in nearly all layers of global digital infrastructure.

“A single password leak can open the door to a person’s entire digital life,” experts said, quoted from Gulf News on Saturday (28/3/2026).

The combination of the volume, structure, and freshness of the data makes this case extremely risky. The leaked credentials are suspected to come from a combination of credential stuffing lists, repackaged old leaks, and new infostealer malware logs.

Most of the data was collected covertly, and some was even left open unintentionally until it spread to the public.

With more than 16 billion active accounts now exposed, internet users are advised to take immediate protective steps:

• Change passwords, especially for important accounts like email, banking, and cloud storage

• Use a password manager to create strong and unique passwords

• Enable two-factor authentication (2FA)

• Switch to passkeys if available

• Monitor the dark web to check if your data is being sold