A staggering 16 billion passwords just leaked. Here’s the real danger

Earlier this week, major news appeared to break—the discovery of 16 billion login records, available as part of massive datasets, tied to services like Apple, Google, Facebook, and GitHub. But unlike many other findings of this nature, these credentials don’t appear to be the usual repackaging of already leaked information. Instead, they contain fresh data not seen before.

As detailed by Cybernews, its researchers say these passwords come from a combination of credential stuffing sets (known passwords used for credential stuffing attacks), previously leaked credentials, and data captured by infostealer malware. All told, this collection spans 30 datasets, ranging from the tens of millions to as many as 3.5 billion records each.

Hearing this report, you might think one of two things: That trying for good online security is hopeless, given how easily logins fall into the hands of attackers. Or that because these billions of credentials were only available briefly, you have little to worry about.

Nope. The real takeaway here is how easily infostealers can wreck your online security.

How to protect yourself against infostealers

Jim Martin / Foundry

Here’s the problem with infostealers: You can use strong, unique passwords. You can store them in a password manager. You can keep your vault protected by a PIN or biometrics when not in use. But if this kind of malware infiltrates your PC or phone, you lose the benefit of those security measures. Infostealer malware can capture all kinds of data from your PC or phone, including your login details.

How? Screenshots, recording what you type, and even lifting credentials straight from your browser.

The best way to defend yourself against infostealers is to not have them on your PC. It’s a two-step process:

1. Install only well-known, legitimate software. Pirated software is very common way people end up with infostealers on their devices. Compromised browser extensions is another—and it can be easy to be tricked by positive reviews or even the extension doing its advertised job. (It may perform the task, but also spy on you at the same time.) Stick to software that comes directly from the official source (e.g., Adobe or Google) and vetted by security professionals.
2. Keep your antivirus up to date: Mistakes happen—perhaps you click on the wrong link and don’t know it. Good antivirus will monitor for questionable behavior from apps, but it can only do its best work if you automatically let it update and run in the background. For most security software, this will happen by default. Change that.

OUr favorite Antivirus

Norton 360 Deluxe

Read our review

Price When Reviewed: 24,99 Euro im ersten Jahr

Best Prices Today: 9,90 € at Software-Shop.com.de | 9,90 € at your.software | 11,90 € at Softperten

You can also take two more smart steps:

1. Enable multi-factor authentication (aka two-factor authentication) on as many accounts as possible. Start with your most valuable ones, like your primary email address, financial accounts, medical records, and government accounts. Consider too any major retailers where a bad actor could rack up charges quickly, like Amazon or Best Buy. With 2FA on, attackers will have to pass a second checkpoint before gaining access to your accounts—so even if you lose your password to an infostealer, you’re not completely compromised.
2. Enable passkeys wherever possible. Passkeys are a stronger form of account authentication. A passkey can only be used by the device (or password manager) it was created for, so it can’t be shared or stolen like a password can. Worried that you could lock yourself out of your accounts if you lose your laptop, or your device gets wiped accidentally? You can still keep a strong, unique password on your account, so long as you combine it with two-factor authentication. Leave that as your backup method of login as a failsafe, but use your passkey(s) as your primary method for sign in.

Sticking to well-known apps from trusted sources and enabling two-factor authentication may sound like a drag, but such measures can save you from identity theft, scams, and account lockouts. Infostealers are no joke—you can have the strongest password in the world, but if someone knows exactly what it is, you’re defenseless.