{"id":53670,"date":"2025-06-20T07:31:26","date_gmt":"2025-06-20T11:31:26","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=53670"},"modified":"2025-06-20T07:31:26","modified_gmt":"2025-06-20T11:31:26","slug":"16-billion-passwords-leak-2","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/16-billion-passwords-leak-2\/53670\/","title":{"rendered":"16 billion passwords leaked: what should I do?"},"content":{"rendered":"

You\u2019ve probably already seen the headlines \u201cThe biggest leak in human history\u201d<\/em>. The whole world is in uproar after Cybernews<\/a> journalists found the logins and passwords to 16 billion accounts in the public domain \u2014 two for each inhabitant of the planet! What is this leak, and what do you need to do right now?<\/p>\n

What\u2019s the leak, and are my credentials there?<\/h2>\n

The original study says that the Cybernews team has been working on the topic since the beginning of the year, and in six months they\u2019ve managed to collect 30 unsecured datasets that add up to 16 billion exposed login credentials. The largest chunk of data \u2014 3.5 billion records \u2014 is related to the world\u2019s Portuguese-speaking population; another 455 million records are related to Russia, and 60 million are \u201cmost likely\u201d related to Telegram.<\/p>\n

The database is built on the following principle: URL, followed by login and password. That\u2019s it, nothing else. At the same time, it\u2019s said that the data of users of all the giant services was leaked: Apple, Google, Facebook, Telegram, GitHub, etc. Surprisingly, it was passwords and not hashes<\/a> that ended up in the hands of the journalists. In our study How hackers can crack your password in an hour<\/strong><\/a>, we detailed exactly how companies store passwords<\/a> (spoiler: almost always in closed form using hashing algorithms).<\/p>\n

The story pays special attention to the freshness of the data: journalists claim that the 16 billion doesn\u2019t include the biggest leaks, which we wrote about on the Kaspersky Daily blog<\/a>. The important question remains behind the scenes: \u201cWhere did the 16 billion freshly leaked passwords come from, and why has no one seen them except Cybernews?\u201d. <\/em>Unfortunately, the journalists haven\u2019t provided any evidence of existence of this database. Therefore, neither Kaspersky\u2019s experts nor anyone else has managed to analyze it. Therefore, we cannot say whether yours \u2013 or anyone else\u2019s \u2013 data is in there.<\/p>\n

According to Cybernews, the accessing the entire database was possible through the use of stealers<\/a>. This seems reasonable, since this is a threat that\u2019s gaining momentum. According to our data, the number of detected password-theft attacks worldwide increased by 21% from 2023 to 2024. Attackers are targeting both private and corporate users.<\/p>\n

What you need to do right now<\/h2>\n

First, let\u2019s set skepticism aside. Yes, we don\u2019t reliably know what exactly this leak is, or whose data is in it. But that doesn\u2019t mean you should do nothing.<\/p>\n

The first and best recommendation is to change your passwords<\/strong>. There are many options for creating a new password that\u2019s difficult for hackers to crack but easy to remember. We covered this in detail in our post Creating an unforgettable password<\/strong><\/a> \u2013 have a read and choose any method you prefer.<\/p>\n

Think of a favorite line from a song or a memorable quote from a movie, and then replace, say, every second or third letter with special characters that aren\u2019t in sequential order on the keyboard.<\/p>\n

For example, if you\u2019re a fan of the\u00a0Harry Potter saga, you may try to use the\u00a0Wingardium Leviosa\u00a0charm for a good cause. Let\u2019s try transforming this levitation charm according to the rule above while peppering it generously with special characters: Wi4ga\/di0mL&vi@sa<\/p>\n

Easy, right?<\/p><\/blockquote>\n

Store your passwords securely. <\/strong>The best solution is to use a special password manager<\/a>. It will generate, securely store, and automatically fill in complex, hack-proof passwords on all your devices for you. You\u2019ll only need to create and remember one main password, which will become a secure key to all other passwords, bank details, photos, and everything else that can be stored in Kaspersky Password Manager<\/a>.<\/p>\n

Set up <\/strong>two-factor authentication<\/strong><\/a>. <\/strong>Almost all popular services support 2FA in one form or another, and the presence of a second factor makes it much more difficult, if not impossible, to hack your account. Kaspersky Password Manager<\/a> makes it easy to store and sync 2FA tokens, as well as generate one-time codes on either your smartphone or computer.<\/p>\n

Remove saved passwords from browsers.<\/strong> Browsers are most often the culprit behind data breaches. Doubt it? Read our arguments in the article How to store passwords securely<\/strong><\/a> \u2013 there you\u2019ll clearly see how hackers can swipe all the saved passwords from your browser in just a few seconds.<\/p>\n

Protect your messenger accounts. <\/strong>For Telegram and WhatsApp we have a list of specific steps <\/a>to take right now, before your account is hijacked.<\/p>\n

Use passkeys wherever possible. <\/strong>This is the modern passwordless method of logging into accounts, which is already supported by Google, iCloud, Microsoft, Meta and others. Haven\u2019t heard of this technology yet? Read the detailed description<\/a> on our blog and follow the updates in our Telegram channel<\/a> \u2013 next week we\u2019ll tell you everything you wanted to know about passkeys: what kind of technology it is, how secure it is, who supports it, what are its advantages and disadvantages. And most importantly \u2013 we\u2019ll give detailed step-by-step instructions on how to switch from insecure passwords to secure passkeys. And yes, you can also store, manage and sync passkeys using Kaspersky Password Manager<\/a>.<\/p>\n

What else do you need to know about passwords to avoid being hacked:<\/p>\n