Early Friday, word circulated about a massive data breach revealing 16 billion passwords, which included credentials for services such as Facebook, Google, and Apple. Some described it as the largest password leak to date, and regarding the raw numbers, that’s mostly accurate. Nevertheless, these records did not arise from a singular or recent breach; they came from numerous smaller incidents.
Data breaches are a harsh truth in the modern digital age, and some are indeed quite substantial. However, not all data exposures result from a recent cybersecurity event. As Mashable noted in our roundup of the top cybersecurity breaches of 2025, hackers frequently aggregate data from several past hacks into one large collection. This tactic is becoming increasingly prevalent in the darker corners of the internet, leading to a “greatest hits” compilation rather than a new, significant breach.
This case reflects that pattern. As reported by Bleeping Computer, the 16 billion records were likely assembled from various earlier hacks and published as a unified dataset. This data probably circulated for a period before being gathered, coming from a blend of breaches, hacks, phishing scams, and malware incidents.
This is corroborated by a tweet from vx-underground, a platform dedicated to malware and cybersecurity. “Someone took a bunch of existing leaks, assembled it all, and attached a NEW label [sic] on it.”
However, having all this data consolidated is still detrimental, as cybercriminals now have everything in one location, potentially simplifying the creation of more effective phishing schemes or facilitating identity theft.
The largest single-point data breach continues to be Yahoo’s 2016 incident, where hackers compromised data from all three billion users.
How to protect yourself from password leaks
With so many records consolidated, even if some are outdated, it’s prudent to review your online services for security. A good starting point is Have I Been Pwned, a site that reveals data breaches. Input your email address(es) to check which credentials are exposed.
We suggest changing any exposed credentials immediately and employing strong passwords, as they are more challenging to crack. Moreover, activate multi-factor authentication on every possible account, as it provides an extra security layer if your password is compromised. This should be the baseline, but there are many further steps you can take to ensure your safety online.
Do you have a story about a scam or security breach that impacted you? Share it with us. Email [email protected] with the subject line “Safety Net” or use this form. A representative from Mashable will reach out to you.