I'm pretty sure Facebook and Google passwords are going to be hashed right?
369548684892826 · 5h ago
So if this is real then it's got to be some widely installed keylogger?
WorldMaker · 4h ago
That's the researcher's assumption as well:
> The uniform formatting and lack of prior exposure suggest these weren’t collected passively. They were scraped or exfiltrated using active tools—most likely infostealer malware—and gathered into datasets optimized for sale or deployment.
CyberMacGyver · 4h ago
These are just recycled passwords from previous breaches. Every few weeks someone finds a largest data breach and it’s just a combo list of old stealer logs
LPisGood · 2h ago
The first sentence of the article says:
> These credentials weren’t recycled from old hacks or reposted from public breaches. They’re new, undocumented, and highly dangerous
What details? For a "senior contributer" at Forbes, the article is vague and filled with obvious typos. Doesn't appear to add anything of substance. This is just an independent chatgpt editorial that eludes to the importance of cybersecurity.
dzhiurgis · 3h ago
Where can I get it? It's always fun to impress friends and dig out their old passwords (or remind myself).
"Our team has been closely monitoring the web since the beginning of the year. So far, they’ve discovered 30 exposed datasets containing from tens of millions to over 3.5 billion records each. In total, the researchers uncovered an unimaginable 16 billion records.
...
Most of the datasets were temporarily accessible through unsecured Elasticsearch or object storage instances."
PatchworkCasino · 2h ago
It sounds like these sites might be making headlines on a technicality:
"Researchers claim that most of the data in the leaked datasets is a mix of details from stealer malware, credential stuffing sets, and repackaged leaks.
There was no way to effectively compare the data between different datasets, but it’s safe to say overlapping records are definitely present. In other words, it’s impossible to tell how many people or accounts were actually exposed."
So what they're actually saying is that in the last 6 months they've found 30 exposed databases which are not exact copies of any pre-existing leak, totaling 16 billion records before deduplication and removal of already-leaked records.
brailsafe · 4h ago
Pretty sure this is not new, details seem awfully sparse, articles being recycled
atypeoferror · 4h ago
They clearly had enough access to capture and spot-check some of this data against previous leaks. The fact that this is not mentioned doesn’t inspire much faith in this being something new and newsworthy.
> The uniform formatting and lack of prior exposure suggest these weren’t collected passively. They were scraped or exfiltrated using active tools—most likely infostealer malware—and gathered into datasets optimized for sale or deployment.
> These credentials weren’t recycled from old hacks or reposted from public breaches. They’re new, undocumented, and highly dangerous
https://www.forbes.com/sites/daveywinder/2025/06/19/16-billi...
"Our team has been closely monitoring the web since the beginning of the year. So far, they’ve discovered 30 exposed datasets containing from tens of millions to over 3.5 billion records each. In total, the researchers uncovered an unimaginable 16 billion records. ... Most of the datasets were temporarily accessible through unsecured Elasticsearch or object storage instances."
"Researchers claim that most of the data in the leaked datasets is a mix of details from stealer malware, credential stuffing sets, and repackaged leaks.
There was no way to effectively compare the data between different datasets, but it’s safe to say overlapping records are definitely present. In other words, it’s impossible to tell how many people or accounts were actually exposed."
So what they're actually saying is that in the last 6 months they've found 30 exposed databases which are not exact copies of any pre-existing leak, totaling 16 billion records before deduplication and removal of already-leaked records.