Advisories

CERT-In Advisory CIAD-2025-0024

Broad Credential Exposure Involving Multiple Online Services

Original Issue Date: June 23, 2025

Overview

Recently, several media reported a significant exposure of approximately 16 billion login credentials, including usernames, passwords, authentication tokens, and associated metadata from platforms such as Apple, Google, Facebook, Telegram, GitHub, and various virtual private network (VPN) services. Compiled from multiple unsecured datasets and infostealer malware campaigns, this leak presents a severe risk of unauthorized account access, identity theft, phishing, and a range of other cyberattacks.

Impact

This credential leak may enable adversaries/threat actors to conduct:

Credential Stuffing: Attempting stolen credentials across multiple services to gain unauthorized access.
Phishing and Social Engineering: Leveraging metadata for targeted phishing campaigns.
Account Takeovers: Unauthorized access to personal, financial, or organizational accounts.
Ransomware and Business Email Compromise: Exploiting compromised credentials for financial gain or data theft.

Description

The dataset aggregates credentials from 30 separate sources, primarily obtained through infostealer malware and exposed through misconfigured, publicly accessible databases-such as unsecured Elasticsearch instances.

The exposed dataset comprises:

Username and password pairs for services including Apple, Google, Facebook, Telegram, GitHub, and VPN services.
Authentication tokens and session cookies, enabling potential bypass of password-based authentication.
Metadata associating credentials with specific platforms or user profiles.

Primary data collection vectors include:

Infostealer Malware: Malware targeting browser-stored credentials, authentication tokens, and cookies.
Unsecured Databases: Misconfigured Elasticsearch instances and other publicly accessible databases exposing aggregated credential sets.

The availability of this data on the dark web increases the likelihood of exploitation by cybercriminals.

Recommendations to mitigate risks

It is recommended to take following actions to mitigate risks associated with this exposure.

For Individuals

Update Passwords Immediately:
Change passwords for all affected services, prioritizing email, banking, social media, and government portals. Create strong, unique passwords (minimum 12 characters, including letters, numbers, and symbols). Avoid reusing passwords across services to prevent credential stuffing attacks. Make it a habit to change your passwords regularly.
Enable Multi-Factor Authentication (MFA):
Activate MFA on all accounts that support it, using authenticator apps, hardware tokens, or SMS-based verification.
Transition to Passkeys:
Where supported (e.g., Apple, Google), enable passkeys for password-less, phishing-resistant authentication using biometrics or device PINs.
Protect Against Malware:
Run antivirus scans to detect and remove infostealer malware. Ensure operating systems, browsers, and applications are updated to address known vulnerabilities.

For Organizations and System Administrators

Implement Zero-Trust Security:
Enforce MFA and least-privilege access controls for all users and systems.
Monitor and Respond to Threats:
Deploy intrusion detection systems (IDS) and Security Information and Event Management (SIEM) tools to detect unauthorized access attempts. Monitor for suspicious account activity, such as unexpected logins or configuration changes.
Secure Data Storage:
Audit databases to ensure they are not publicly accessible. Implement encryption for stored credentials and sensitive data.
Employee Training:
Conduct cybersecurity awareness training focused on phishing prevention and secure password practices.

References

Cybernews
https://cybernews.com/security/billions-credentials-exposed-infostealers-data -leak/

Forbes
https://www.forbes.com/sites/daveywinder/2025/06/20/16-billion-apple-facebook-google-passwords-leaked---change-yours-now/

CERT-In
Securing social media accounts
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2024-0006

Preventing Online scams
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2024-0050

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-22902657

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India