This is why billions of passwords were leaked in Apple and Google breach
A trove of around 16bn passwords and usernames linked to major online platforms – including Apple, Google, Facebook, Microsoft and dozens of government services – has surfaced online, in what researchers are calling one of the largest known compilations of stolen credentials.
Initial reports caused confusion, suggesting direct breaches of platforms like Apple and Google.
However, cybersecurity analysts have clarified that the leak appears to be a large-scale aggregation of previously compromised data, much of it recently harvested through malware known as “infostealers”.
These lightweight programs are typically installed on personal devices without detection and are designed to extract login credentials, browser autofill data, and other sensitive user information.
“This breach does not involve outdated or recycled data”, argued Marko Maras, chief executive of fraud prevention firm Trustfull. “It’s fresh and actionable. That significantly increases the risk of phishing attacks and account takeovers”.
The data was compiled from multiple smaller breaches and information-stealing incidents, then consolidated into large datasets by cybercriminal groups.
In total, the breach affects a broad range of services, from commercial platforms like PayPal, Roblox and Discord, to government portals in more than 29 countries.
A weak system
What has drawn concern from security professionals is not only the volume of the data, but the visibility it gives into widespread vulnerabilities in current authentication models – particularly those that still rely primarily on passwords.
While enabling two-factor authentication, or 2FA, remains standard advice in the wake of a breach, Maras believes the situation reflects a broader issue with traditional login systems.
“Passwords and 2FA are visible points in the authentication process. and users often push back against friction”, he said. “There are other signals that can be used silently in the background to verify identity”.
Such “silent signals” include typing cadence, mouse movement patterns, and network indicators like VPN.
These behavioural and environmental cues are increasingly being used in fraud detection systems, particularly in the finance and payments sectors, to identify suspicious activity without requiring active input from users.
According to recent research from Cybernews, the source of the leak is not a single point of failure, but rather a coordinated packaging of data stolen via infostealer malware, credential stuffing attacks, and previously compromised databases.
One of the largest subsets of the data includes over 3.5bn entries believed to be linked to Portuguese-speaking users.
Phishing risks rise
Some experts have warned that users are now exposed to a secondary wave of risk, under the form of phishing and impersonation.
Bad actors are expected to exploit the news of the vast breach itself, using various branded emails and messages from firms like Apple or Google to prompt password resets – and trick recipients into handing over even more data.
The FBI has issued reminders that major tech firms do not reach out unsolicited to request password resets or account recovery.
Any such emails, texts or calls should be treated as suspicious.
There is no evidence so far of a breach in Apple, Google, or Facebook’s internal systems. Rather, the inclusion of their login pages in infostealer logs reflects how widely used these services are – and how frequently their credentials are stored, entered or reused.
For businesses and individuals alike, the breach offers another reminder to reassess basic digital hygiene.
“Security doesn’t need to be synonymous with friction”, said Maras. “Signals exist in the background that platforms can use – they just need to be deployed more widely”.