Researchers from Cybernews have confirmed a massive exposure of 16 billion login credentials, an event some are calling a "password apocalypse". With a number that is roughly double the entire population of Earth, it’s easy to feel a sense of dread. 

This was not a single, catastrophic hack where criminals broke into the servers of a major company like Apple, Google, or Facebook and stole everything at once. Rather, this massive collection of data was stolen over time from millions of individual people, then gathered into enormous databases for sale on the dark web.  

What is the "password apocalypse"?

This breach was caused by a type of malicious software called "infostealers". The infostealer malware silently makes a copy of every saved password, scans the financial information, and even duplicates the temporary session cookies.  

Unlike the recycled lists of usernames and passwords from old, well-known breaches, this data is new, highly organized, and immediately "weaponizable" by criminals.  

The scale of this operation is staggering, with 30 separate datasets, and the total number of compromised records reaching 16 billion, including usernames and passwords, and the website URLs they belong to. Even more dangerously, the data includes session cookies and other tokens that can help criminals bypass security measures. 

How the leaked data can affect you

When you log into a website using your password and MFA, the site gives your web browser a small file called a "session cookie." This cookie acts as a temporary, all-access pass that tells the website you are an authenticated user. For as long as that cookie is valid, you can navigate the site and even close and reopen your browser without logging in again.  

This is where infostealers come in. The very malware that collected the 16 billion credentials is specifically designed to find and steal these session cookies from your computer. An attacker can then take your stolen cookie and place it into their own browser. When they visit the website, the site reads the cookie and grants them full access to your account, completely bypassing the login page and any MFA prompts because it thinks they are you, already logged in.  

This is precisely why this particular leak is so dangerous. It’s not just about stolen passwords that can be defended against with MFA. It’s about the theft of active session tokens that render many common forms of MFA useless. It fuels the exact type of attack designed to get around our best defenses.  

How to protect your personal information

The risk of having your accounts accessed by hackers includes the possibility of identity theft or an entry point for other attacks. For example, a compromised login can be used to deploy ransomware, locking up a company's or individual's entire system.

To protect yourself from further damage, you can apply a strategy cybersecurity professionals call "Defense in Depth," or layered security. 

The core idea is that no single defense is perfect. Every security measure has potential weaknesses. Therefore, the goal is to build multiple barriers so that if an attacker manages to get past one layer, they are stopped by the next one.  

Layer 1: Strong credentials

This is your first and most basic line of defense. It's about making the front door as tough to break down as possible. This used to just mean using a long, complex password. Today, it means moving to more modern and secure options.

• Use a Password Manager: It is nearly impossible for a person to create and remember a unique, strong password for every single online account. A password manager solves this problem. It generates highly complex passwords for you, stores them in an encrypted vault, and autofills them when you log in. You only need to remember one strong master password.  
• Switch to Passkeys: Where available, use passkeys. A passkey uses your device's built-in security (like your fingerprint or face scan) to create a unique cryptographic key for each site. It's phishing-resistant and much more secure than a traditional password.  

Layer 2: Smarter authentication

This is your MFA layer, but it's about choosing the right kind of lock for your gate. As we've seen, not all MFA methods are created equal. You should always choose the strongest method available for an account.

There are apps available that generate unique codes for each account you add. This means that every time you log into an account, you have to access the app and generate a one-time use code.

Layer 3: Vigilance and monitoring

This layer is about being proactive and vigilant, as data security isn't something you can "set and forget."

• Monitor Your Accounts: Regularly check your bank and credit card statements for any transactions you don't recognize.  
• Check Your Credit Reports: You are entitled to a free credit report from each of the three major bureaus (Equifax, Experian, and TransUnion) every year. Review them for any accounts or inquiries you didn't authorize.  
• Beware of Phishing: Be extra suspicious of unsolicited emails, texts, and phone calls. Criminals who have your data from this leak will use it to make their phishing scams sound much more convincing. They might know your name, email, and a site you use. 

Pro tip: Never click on links or download attachments from an unexpected message. If you think a message might be legitimate, contact the company through its official website or phone number, not the contact information provided in the message.  

Layer 4: System integrity

All your defenses are built on the foundation of your devices and software. Therefore, keep the health and integrity of your computer and phone.

Cybercriminals and infostealers exploit known security holes in software. Companies regularly release updates, or "patches," to fix these holes. Enable automatic updates for your operating system (Windows, macOS, iOS, Android), your web browser, and all your applications. 

Layer 5: Backups

Even with the best defenses, things can go wrong. Whether you're recovering from a hardware failure or a ransomware attack, having a recent, secure copy of your data is essential. A good backup strategy involves having multiple copies of your data in different locations.

Data loss isn't just physical damage

When you think of data loss, you probably picture the stomach-dropping moment of a failing hard drive or water damage. However, a data breach like this is a different kind of data loss. If you need help to save your digital assets, SalvageData's teams are equipped to handle any data crisis, physical or digital.

Contact our data recovery experts 24/7 for a free consultation. We provide a no-obligation quote, and with our 'no data, no charge' guarantee, you can be confident that you're in good hands.