You’ve probably already seen the headlines “The biggest leak in human history”. The whole world is in uproar after Cybernews journalists found the logins and passwords to 16 billion accounts in the public domain — two for each inhabitant of the planet! What is this leak, and what do you need to do right now?

What’s the leak, and are my credentials there?

The original study says that the Cybernews team has been working on the topic since the beginning of the year, and in six months they’ve managed to collect 30 unsecured datasets that add up to 16 billion exposed login credentials. The largest chunk of data — 3.5 billion records — is related to the world’s Portuguese-speaking population; another 455 million records are related to Russia, and 60 million are “most likely” related to Telegram.

The database is built on the following principle: URL, followed by login and password. That’s it, nothing else. At the same time, it’s said that the data of users of all the giant services was leaked: Apple, Google, Facebook, Telegram, GitHub, etc. Surprisingly, it was passwords and not hashes that ended up in the hands of the journalists. In our study How hackers can crack your password in an hour, we detailed exactly how companies store passwords (spoiler: almost always in closed form using hashing algorithms).

The story pays special attention to the freshness of the data: journalists claim that the 16 billion doesn’t include the biggest leaks, which we wrote about on the Kaspersky Daily blog. The important question remains behind the scenes: “Where did the 16 billion freshly leaked passwords come from, and why has no one seen them except Cybernews?”. Unfortunately, the journalists haven’t provided any evidence of existence of this database. Therefore, neither Kaspersky’s experts nor anyone else has managed to analyze it. Therefore, we cannot say whether yours – or anyone else’s – data is in there.

According to Cybernews, the accessing the entire database was possible through the use of stealers. This seems reasonable, since this is a threat that’s gaining momentum. According to our data, the number of detected password-theft attacks worldwide increased by 21% from 2023 to 2024. Attackers are targeting both private and corporate users.

What you need to do right now

First, let’s set skepticism aside. Yes, we don’t reliably know what exactly this leak is, or whose data is in it. But that doesn’t mean you should do nothing.

The first and best recommendation is to change your passwords. There are many options for creating a new password that’s difficult for hackers to crack but easy to remember. We covered this in detail in our post Creating an unforgettable password – have a read and choose any method you prefer.

Think of a favorite line from a song or a memorable quote from a movie, and then replace, say, every second or third letter with special characters that aren’t in sequential order on the keyboard.

For example, if you’re a fan of the Harry Potter saga, you may try to use the Wingardium Leviosa charm for a good cause. Let’s try transforming this levitation charm according to the rule above while peppering it generously with special characters: Wi4ga/di0mL&vi@sa

Easy, right?

Store your passwords securely. The best solution is to use a special password manager. It will generate, securely store, and automatically fill in complex, hack-proof passwords on all your devices for you. You’ll only need to create and remember one main password, which will become a secure key to all other passwords, bank details, photos, and everything else that can be stored in Kaspersky Password Manager.

Set up two-factor authentication. Almost all popular services support 2FA in one form or another, and the presence of a second factor makes it much more difficult, if not impossible, to hack your account. Kaspersky Password Manager makes it easy to store and sync 2FA tokens, as well as generate one-time codes on either your smartphone or computer.

Remove saved passwords from browsers. Browsers are most often the culprit behind data breaches. Doubt it? Read our arguments in the article How to store passwords securely – there you’ll clearly see how hackers can swipe all the saved passwords from your browser in just a few seconds.

Protect your messenger accounts. For Telegram and WhatsApp we have a list of specific steps to take right now, before your account is hijacked.

Use passkeys wherever possible. This is the modern passwordless method of logging into accounts, which is already supported by Google, iCloud, Microsoft, Meta and others. Haven’t heard of this technology yet? Read the detailed description on our blog and follow the updates in our Telegram channel – next week we’ll tell you everything you wanted to know about passkeys: what kind of technology it is, how secure it is, who supports it, what are its advantages and disadvantages. And most importantly – we’ll give detailed step-by-step instructions on how to switch from insecure passwords to secure passkeys. And yes, you can also store, manage and sync passkeys using Kaspersky Password Manager.

What else do you need to know about passwords to avoid being hacked:

• How to create strong passwords and where to store them
• How to create an unforgettable password
• How hackers can crack your password in an hour
• Passwords 101: don’t enter your passwords just anywhere they’re asked for
• Messengers 101: safety and privacy advice

Kaspersky official blog – ​Read More