India

16 billion passwords leaked: Indian government issues alert with safety tips for Apple, Google, and Facebook users

By News Desk

India’s cybersecurity agency, CERT-In, has issued a critical advisory warning users about one of the largest credential leaks in recent years. According to the advisory (CTAD-2025-0024) dated June 23, 2025, approximately 16 billion login credentials have been exposed online, affecting users of Apple, Google, Facebook, Telegram, GitHub, and several VPN services.

Massive password leak highlights growing risks

The leaked dataset, compiled from at least 30 different sources, includes sensitive data stolen via infostealer malware and misconfigured, publicly accessible databases such as unsecured Elasticsearch servers.

The compromised information reportedly contains:

  • Usernames and passwords

  • Authentication tokens and session cookies

  • Metadata linking credentials to specific platforms

CERT-In warned that the breach significantly raises the risk of cybercrimes like unauthorized account access, phishing attacks, identity theft, and even ransomware campaigns.

Why this breach is particularly dangerous

The sheer scale and detail of the leak make it highly dangerous, with CERT-In outlining four key risks:

  • Credential stuffing: Attackers use stolen credentials to access accounts across multiple services.

  • Phishing & social engineering: Metadata allows for highly targeted scams.

  • Account takeovers: Cybercriminals could hijack personal, financial, and work-related accounts.

  • Ransomware & business email compromise: Stolen credentials can enable large-scale attacks on organizations.

How the data was leaked

According to CERT-In, the credentials were leaked through:

  • Infostealer malware: Malicious software that harvests saved passwords, cookies, and browser data.

  • Misconfigured databases: Publicly exposed servers made it easy for hackers to retrieve sensitive information.

Steps to protect yourself

CERT-In has advised all users to take the following precautions to secure their accounts:

  • Change your passwords immediately, especially on sensitive accounts like banking, social media, and government portals. Use strong, unique combinations of letters, numbers, and symbols for each service.

  • Enable multi-factor authentication (MFA) to add an extra layer of security. This could be via an app, SMS, or hardware token.

  • Be vigilant about phishing attacks, particularly those disguised as password reset links or urgent notices.

  • Use a trusted password manager to generate and store strong, unique passwords for each account.

The advisory serves as a reminder of the increasing need for robust cybersecurity practices in the face of growing online threats. Users are urged to act promptly to secure their data and minimize risks from this massive breach.

You might also like More from author