‘Mother of all breaches’? The stolen credential threat is real, but the latest big dataset doesn’t change the game

Published by CyberCX Intelligence on 20 June 2025

Key Points 

• On 20 June 2025, various media outlets began reporting a so-called ‘mother of all breaches’, a dataset purporting to contain over 16 billion usernames and passwords from users globally.
• This latest aggregated dataset does not materially change the overall threat level to organisations or individuals. However, it highlights a major underlying driver of cyber attacks globally. 
• CyberCX has consistently warned that valid stolen credentials are a leading cause of breaches of organisations, both large and small, and of consumer financial losses.
• There are simple, practical steps organisations and individuals can take to reduce the likelihood of their credentials being stolen, and to mitigate the impacts if stolen credentials are purchased or accessed by a cyber criminal.

Background 

• On 20 June 2025, various media outlets reported on a dataset purporting to contain over 16 billion credentials, stolen from individuals and organisations globally, including in Australia and New Zealand.
  • It is claimed the dataset contains usernames and passwords for such services as Apple, Google, Facebook and Telegram, as well as for government accounts and other websites.
• The existence of this dataset is not a new threat, and there are simple and practical remediation and preventative measures individuals and organisations can take to protect themselves.
• CyberCX has highlighted in consecutive threat reports, including the 2025 CyberCX Threat Report, that valid credentials are a leading cause of breaches and consumer losses.
• Notably, stolen credentials are the leading initial access vector for cyber extortion incidents, such as ransomware, in our region including for large, mature organisations.
• Stolen credentials have also caused significant harm to consumers and are commonly used by cyber criminals in ‘credential stuffing’ attacks to illegally log into an individual’s retail, banking, loyalty program, or other consumer service accounts.
  • For example, in a recent campaign against Australian superannuation funds in March 2025, cyber criminals used stolen member credentials to access multiple accounts and to unlawfully transfer approximately $500,000 from customers.
• CyberCX has previously worked with law enforcement to shut down online criminal marketplaces responsible for the sale of thousands of Australian and New Zealand individuals’ accounts on loyalty and retail sites. 

What is the threat posed by the latest dataset?

• Large datasets of credentials such as this latest one are commonly used by threat actors to identify usernames and passwords associated with government, enterprise and consumer accounts.
• The most significant threat related to this dataset is if individuals have reused the same password across multiple services.
• Additionally, in highly targeted attacks, a threat actor may be able to identify patterns (such as incrementing numbers) to guess future passwords associated with compromised users.
• Using readily available online tools, it is possible for threat actors to correlate logins across services, even when different email addresses or login details are used, increasing the threat of this activity.
• For individuals, the impacts could range from losing access to your favourite video streaming platform, to financial losses from unlawful access to a retail or financial services platform, to a threat actor using your login to breach an employer’s network in order to deploy ransomware. 

Where do stolen credentials come from?

• The two primary sources of stolen credentials used by cyber criminals are: (1) data breaches of online services, and (2) information stealing malware (infostealers) on user devices.
  • A common historical source of large datasets of credentials has been the breach of online services. Early mass breaches of services such as MyFitnessPal (2018) and Adobe (2013) saw the release of sensitive details, often including passwords, for their customer base. More recently, the prevalence of these breaches as a source of stolen credentials has reduced as service providers better manage the security of passwords through encrypting these values at rest. 
  • Infostealers have been present in the cyber environment for nearly 20 years, but they are now a significant, industrialised part of the cyber crime economy. Malicious developers offer subscription access to information stealing portals, delivery mechanisms and technical support ‘as-a-service’, allowing criminals without technical ability to distribute infostealing malware. Once credentials are obtained, they can be used by the criminal deploying the malware, or sold on dedicated cyber crime forums online.
• Over time, cyber criminals compile stolen credentials into larger lists, called combination lists or ‘combolists’. These in turn are combined with other combolists and the number of credentials available in a single list rapidly climbs into the millions or, as is now the case, billions.

What should I do?

Individuals 

• Don’t use browsers to save passwords; use Apple’s keychain or a third-party password manager that can be installed on all your devices – infostealers primarily work by accessing the credential stores in browsers.
• Don’t reuse passwords across multiple services – a password manager will recommend unique, complex passwords for new services and save them so you don’t need to remember.
• Sign up for services such as Have I Been Pwned – this will alert you to what passwords may have been exposed so you can change them across all services.
• Where available use Multi-Factor Authentication (MFA) on your services – MFA is the best way to prevent credential stuffing attacks. If your essential providers aren’t offering it, ask them why.

Organisations 

• Purchase a credential monitoring service which monitors for credentials belonging to your staff – services such as CyberCX’s Data Exposure Monitoring service can integrate with your SOC to trigger investigations into suspicious activity or force automatic password resets for at-risk passwords.
• Provide corporate password managers to your staff – this will improve your corporate security by controlling access to passwords and can reduce the insider threat of passwords being stored on paper.
• Enforce appropriate password complexity requirements – complex passwords which don’t allow things like obvious password change patterns will increase the difficulty for threat actors attempting to guess current or future passwords for users.
• Deploy phishing resistant MFA and test your MFA configuration regularly – MFA will protect your organisation from a raft of threat vectors, including the risk of staff credentials becoming available.