News broke today about “one of the largest data breaches in history,” sparking wide media coverage filled with warnings and fear-mongering. However, it appears to just be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks.

To be clear, this is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials.

Instead, these stolen credentials were likely circulating for some time, if not for years. It was then collected by a cybersecurity firm, researchers, or threat actors and repackaged into a database that was exposed on the Internet.

Cybernews, which discovered the briefly exposed datasets of compiled credentials, stated it was stored in a format commonly associated with infostealer malware, though they did not share samples

An infostealer is malware that attempts to steal credentials, cryptocurrency wallets, and other data from an infected device. Over the years, infostealers have become a massive problem, leading to breaches worldwide.

These types of malware impact both Windows and Macs, and when executed, will gather all the credentials it can find stored on a device and save them in what is called a “log.”

An infostealer log is generally an archive containing numerous text files and other stolen data. The text files contain lists of credentials stolen from browsers, files, and other applications.

Stolen credentials are usually saved one per line in the following format:

URL:username:password

Sometimes, the delimiter between each component is changed to a comma, semicolon, or dash.

For example, the following is how an infostealer will save credentials stolen from a device to a log:

https://www.facebook.com/:jsmith@example.com:Databr3achFUd!
https://www.bank.com/login.php:jsmith:SkyIsFa11ing#
https://x.com/i/flow/login:jsmith@example.com:StayCalmCarryOn

If someone is infected with an infostealer and has a thousand credentials saved in their browser, the infostealer will steal them all and store them in the log. These logs are then uploaded to the threat actor, where the credentials can be used for further attacks or sold on cybercrime marketplaces.

The infostealer problem has gotten so bad and pervasive that compromised credentials have become one of the most common ways for threat actors to breach networks.

We have a webinar next month titled “Stolen credentials: The New Front Door to Your Network” that focuses on infostealers, compromised credentials, and how organizations can protect themselves.

This problem has also led law enforcement worldwide to actively crack down on these cybercrime operations in recent actions, such as “Operation Secure” and the disruption of LummaStealer.

As infostealers have become so abundant and commonly used, threat actors release massive compilations for free on Telegram, Pastebin, and Discord to gain reputation among the cybercrime community or as teasers to paid offerings.

To see how many passwords are given away for free, the single 1,261.4 MB file in the image above contained over 64,000 credential pairs.

There are thousands, if not hundreds of thousands, of similarly leaked archives being shared online, resulting in billions of credentials records released for free.

Many of these free archives were likely compiled into the massive database that was briefly exposed and seen by Cybernews.

Similar credential collections were released in the past, such as the RockYou2024 leak, with over 9 billion records, and “Colection #1,” which contained over 22 million unique passwords.

Despite the buzz, there’s no evidence this compilation contains new or previously unseen data

What should you do?

So, now that you know there was a massive leak of credentials likely stolen through infostealers, data breaches, and credential-stuffing attacks, you may be wondering what you should do.

The most important step is to adopt and maintain good cybersecurity habits you should already be following.

If you’re concerned that an infostealer might be present on your computer, scan your device with a trusted antivirus program before changing any passwords. Otherwise, newly entered credentials could be stolen as well.

Once you’re confident your system is clean, focus on improving your password hygiene.

That means using a unique, strong password for every site you use, and relying on a password manager to keep them organized and secure.

However, even unique passwords won’t help you stay protected if you are hacked, fall for a phishing attack, or install malware.

Therefore, it is crucial that you also use two-factor authentication (2FA) along with an authentication app, like Microsoft Authenticator, Google Authenticator, or Authy, to manage your 2FA codes. Some password managers, like Bitwarden and 1Password, also include authentication functionality, allowing you to use one application for both.

With 2FA enabled, even if a password at a site is compromised, threat actors cannot access the account without your 2FA code.

As a general rule, you should avoid using SMS texts to receive 2FA codes, as threat actors can conduct SIM-swapping attacks to hijack your phone number and obtain them.

As for this leak, with this many credentials leaked, there is a chance one of the readers of this article will be listed in the compilation.

However, don’t panic and stress about it, running around changing all your passwords. Instead, take this opportunity to improve your cybersecurity habits.

To check if your credentials have appeared in known breaches, consider using services like Have I Been Pwned.

And if you use the same password across multiple sites, now is the time to switch to unique ones.

That way, leaks like this become far less dangerous to you.

Update 6/20/25 10:08 PM EST: Article updated to clarify that this was multiple datasets found rather than a single database and to remove “mother of all breaches,” as that was to describe the other compilation discovered in 2024.