16 Billion passwords leaked worldwide: Indian government warns Apple, Google and Facebook users The leaked data—gathered via malware and misconfigured databases—poses a major threat of identity theft, phishing, account takeovers, and ransomware attacks. Users are urged to change passwords immediately, enable multi-factor authentication, and stay vigilant.

New Delhi:

CERT-In, India’s cybersecurity authority, has reportedly raised an alarm related to the largest global password leaks ever to happen to date. The advisory (CTAD-2025-0024), issued on June 23 (2025), has warned that around 16 billion login credentials have been exposed, which is potentially affecting millions of Indian users who are using Apple, Facebook, Telegram, Google, GitHub and several VPN services.

Where did the leaked data come from?

As per CERT-In, the compromised credentials were sourced from over 30 data dumps, largely collected through:

Infostealer malware infecting user devices and browsers

Misconfigured databases, such as open Elasticsearch instances

The leaked trove further includes:

Usernames and passwords

Session cookies

Authentication tokens

Metadata connecting credentials to specific accounts

Why is it a serious threat?

As per the advisory, it is highlighted that four major cyber risks will result from the breach:

Credential stuffing: Hackers may try the same stolen login across multiple services Phishing and social engineering: Metadata will help in creating more believable scams Account takeovers: Hackers can hijack personal, banking, or business accounts Business attacks: The data could be used for ransomware or email fraud targeting companies

How to protect yourself: CERT-In’s safety tips

CERT-In has reportedly recommended the following actions to safeguard your data:

User must change passwords immediately, especially on their email, banking and social media accounts Enable multi-factor authentication (MFA) using apps or SMS codes Use a password manager to create and store strong, unique passwords Be alert to phishing emails which are pretending to be security warnings and ask for a password reset- do not take a step ahead

Act now before it's too late

With more than 16 billion credentials being compromised, this breach is one of the major wake-up calls for all internet users to think about their data security. Even if you have not yet noticed any suspicious activity, it is crucial to update passwords and secure your digital accounts today.