Shaki Sutharsan · CBC News

· Posted: Jun 20, 2025 9:26 PM EDT | Last Updated: 2 hours ago

A report that independent cybersecurity news outlet Cybernews published on Wednesday claimed 16 billion login credentials were exposed and compiled into datasets online, giving cybercriminals access to accounts on such online platforms as Google, Apple and Facebook.

CBC News was unable to independently verify the report, but cybersecurity experts say the incident is yet another reminder for people to regularly change their passwords and not use the same one for multiple platforms.

"About three or four times a year, take those passwords that are especially in the social platforms that you use, the places you like to go, and just change those passwords and keep them fresh," Enza Alexander, executive vice-president of ISA Cybersecurity in Toronto, said.

"Don't reuse what you used before. Use [passwords] that have characters and numbers and that are very unique."

Alexander acknowledged this can make them harder to remember, but cycling passwords on the different platforms you use makes it harder for cybercriminals to access your accounts and find indicators of your identity.

Cybernews said that duplicate records are likely to be present in the datasets, meaning it's "impossible" to determine the exact number of people whose credentials might have been exposed in the leak.

The leaked records don't appear to come from a centralized breach that targeted a specific company but rather a compilation of datasets containing login credentials that were gathered over time.

Cybernews said in its report that various infostealers are likely behind it. Infostealers are a form of malicious software that breaches a victim's device or systems to take sensitive information.

A Google spokesperson said in a statement to CBC News that the issue did not stem from a Google data breach.

Bob Diachenko, a cybersecurity researcher and Cybernews contributor who was involved in reporting the leak, posted on social media platform X noting that there was no single source of the leak.

"What this number reflects is the size of different infostealers logs exposed publicly since the beginning of this year alone," Diachenko said in the post, adding that the leak signifies the large scale of "infostealers infections" today.

Many questions remain about these leaked credentials, including whose hands the login credentials are in now. But as data breaches become increasingly common in today's world, experts continue to stress the importance of maintaining key "cyber hygiene."

How can you protect your credentials?

Alexander said that "it's difficult to understand what is accurate and what is not" about the leak, but noted that it's important for people to change their passwords if they're worried they might be affected.

She also recommended that people look at different security offerings that platforms may offer, such as logging in using a passkey rather than a password.

Some online services, like Google and Apple, allow users to sign in using a passkey as an alternative to using a password. This lets users sign into their accounts with a facial recognition scan, their fingerprint or a pin.

In its statement, Google encouraged users to use passwordless authentication methods such as passkeys, which the company said are more secure. It also suggested using tools like Google Password Manager, which will store passwords and notify users if any of their passwords have been involved in a data breach so they can take action.

"It's really important that people see if they've been affected but not overreact to the situation," Alexander said.