Credential leak affecting Google, Apple and Facebook puts billions of accounts at risk
iPhone users instructed to take immediate action to avoid data breach: 'Urgent threat'
Kurt 'The CyberGuy' Knutsson discusses Elon Musk's possible priorities as he exits his role with the White House and explains the urgent warning for iPhone users to update devices following a 'massive security gap.'
Your personal data is collected by almost every site or app you visit. The world is more data hungry than ever because it's now the most important asset, even more valuable than oil. Your shopping history is logged, your search history is captured, and your phone number, email address, and IDs are all stored. But that doesn't mean all this data is safe. If you've ever received a spam call, phishing email, or a fake support call, your personal data is out there.
And if you want proof of how poorly your data is treated, a newly uncovered database offers a stark reminder. More than 16 billion login credentials, collected from years of past data breaches, have been compiled into one of the largest aggregated archives of cybersecurity incidents ever seen, according to a report.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join.
10 SIGNS YOUR PERSONAL DATA IS BEING SOLD ONLINE
A woman working on her laptop (Kurt "CyberGuy" Knutsson)
What you need to know about the 16 billion passwords data breach affecting Google, Apple, and Facebook
Cybernews describes the exposed database as a "blueprint for mass exploitation." The records include login credentials from popular platforms like Google, Facebook, and Apple.
Security researchers emphasize that this isn't the result of a new, single breach. Instead, it's a massive collection of previously stolen credentials from various past leaks, phishing scams, and third-party data exposures, some of which were forgotten, underreported, or re-shared.
BleepingComputer, a cybersecurity site that reviewed the archive, confirmed the data appears to be aggregated from older breaches rather than a fresh incident. This makes the scope of the exposure particularly dangerous because attackers can use this central trove for targeted attacks, including credential stuffing.
Credential stuffing becomes much easier when attackers have access to such a vast pool of usernames and passwords. This technique involves using stolen login details across multiple sites, exploiting the fact that many users reuse the same credentials. So even if your account wasn't part of a recent breach, you could still be at risk if your old credentials are part of this newly indexed compilation.
An illustration of a hacker at work (Kurt "CyberGuy" Knutsson)
DOUBLECLICKJACKING HACK TURNS DOUBLE-CLICKS INTO ACCOUNT TAKEOVERS
How Google and Meta are responding to the massive password leak
We reached out to Apple, Google and Meta for comment.
A Google spokesperson stated that this issue did not stem from a Google data breach and that Google continues to strongly encourage users to adopt more secure, passwordless authentication methods, such as passkey. They also suggest using tools like Google Password Manager, which securely stores your passwords and notifies you when they’ve been involved in a breach, allowing you to take immediate action.
A rep from Meta said, "We don’t have a statement to share at this time as we’re still looking into this," but did offer some tips to secure your account, a security check-up tool, and the introduction of passkeys on Facebook.
We did not hear back from Apple before our deadline.
In statements given to the media, a Google spokesperson clarified that the company was not the source of the leak. Instead of raising alarms, Google is encouraging users to adopt more secure practices. These include using passkeys, a newer form of authentication that relies on biometric data or a device PIN instead of a traditional password.
Google is also promoting its Password Manager, which alerts users if any of their stored credentials have been exposed. This tool can automatically generate strong passwords and keep them encrypted across your devices.
Meta has taken similar steps by rolling out support for passkeys on Facebook mobile apps. While adoption remains low, the company is signaling that passwordless logins are the future of secure access. These changes reflect a growing industry shift toward authentication methods that cannot be phished or reused.
We reached out to Apple, Google, and Meta for comment but did not receive a response before our deadline.
WHAT IS ARTIFICIAL INTELLIGENCE (AI)?
A Google smartphone (Kurt "CyberGuy" Knutsson)
MALWARE EXPOSES 3.9 BILLION PASSWORDS IN HUGE CYBERSECURITY THREAT
5 essential ways you can protect yourself after the Apple, Google Data breach
With credential leaks becoming a growing threat, protecting your data requires a mix of smart security habits and reliable tools. Here are five effective ways to keep your information safe.
1. Use a password manager: Infostealer malware often targets passwords saved directly in web browsers, making them easy targets. Instead of relying on your browser to store credentials, use a dedicated password manager that offers zero-knowledge architecture and military-grade encryption to keep your data safe. The best options work across all your devices and browsers, offer secure sharing, monitor for data breaches, and even generate health reports on your passwords. Get more details about my best expert-reviewed Password Managers of 2025 here.
2. Enable two-factor authentication (2FA): Even if your credentials are stolen, 2FA adds an extra layer of security by requiring a second form of verification, such as a code from an authentication app or biometric confirmation. Cybercriminals rely on stolen usernames and passwords to break into accounts, but with 2FA enabled, they cannot gain access without the additional security step. Make sure to enable 2FA on important accounts like email, banking, and work-related logins.
3. Use strong antivirus software and be cautious with downloads and links: Infostealer malware often spreads through malicious downloads, phishing emails, and fake websites. Avoid downloading software or files from untrusted sources, and always double-check links before clicking them. Attackers disguise malware as legitimate software, game cheats, or cracked applications, so it is best to stick to official websites and app stores for downloads.
The best way to safeguard yourself from malicious links is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices.
4. Keep software updated: Cybercriminals exploit outdated software to deliver malware. Keeping your operating system, browsers, and security software up to date ensures that known vulnerabilities are patched. Enable automatic updates whenever possible, and install reputable antivirus or endpoint protection software that can detect and block infostealer threats before they compromise your system.
5. Consider a personal data removal service: The massive leak of 16 billion credentials shows just how far your personal information can spread and how easily it can resurface years later in aggregated hacker databases. Even if your passwords were part of an old breach, data like your name, email, phone number, or address may still be available through data broker sites. Personal data removal services can help reduce your exposure by scrubbing this information from hundreds of these sites. While no service can guarantee total removal, they drastically reduce your digital footprint, making it harder for scammers to cross-reference leaked credentials with public data to impersonate or target you. These services monitor and automatically remove your personal info over time, which gives me peace of mind in today’s threat landscape. Check out my top picks for data removal services here.
Get a free scan to find out if your personal information is already out on the web
CHAOS RANSOMWARE HITS OPTIMA TAX RELIEF, LEAKS 69GB OF DATA
Kurt’s key takeaway
Passwords are no longer enough. That is why I have always believed tech companies should phase them out entirely and require two-factor authentication across the board. Passwords, once the foundation of online identity, are now one of its weakest links. Companies like Google and Meta are already building systems that move beyond them. The tools are available. The message is clear. You do not need to wait for a breach to start taking security seriously.
Do you think tech companies are investing enough in their cybersecurity infrastructure? Let us know by writing to us at Cyberguy.com/Contact.
For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter
Ask Kurt a question or let us know what stories you'd like us to cover
Follow Kurt on his social channels
Answers to the most asked CyberGuy questions:
- What is the best way to protect your Mac, Windows, iPhone and Android devices from getting hacked?
- What is the best way to stay private, secure and anonymous while browsing the web?
- How can I get rid of robocalls with apps and data removal services?
- How do I remove my private data from the internet?
New from Kurt:
- Try CyberGuy's new games (crosswords, word searches, trivia, and more!)
- CyberGuy’s Exclusive Coupons and Deals
Copyright 2025 CyberGuy.com. All rights reserved.
Kurt "CyberGuy" Knutsson is an award-winning tech journalist who has a deep love of technology, gear and gadgets that make life better with his contributions for Fox News & FOX Business beginning mornings on "FOX & Friends." Got a tech question? Get Kurt’s free CyberGuy Newsletter, share your voice, a story idea or comment at CyberGuy.com.
