CERT-IN Alert: 16 Billion Passwords Leaked Online
The Indian Computer Emergency Response Team (CERT-IN) has issued a critical global advisory warning internet users of a massive breach involving over 16 billion passwords and login credentials now available for sale on the dark web. This enormous data leak includes sensitive information from major platforms like Google, Apple, Facebook, Telegram, and several other online services. Declaring the situation a “cyber emergency”, CERT-IN has urged all users to immediately change their passwords, enable two-factor authentication (2FA), and steer clear of suspicious links and emails.
This is being dubbed as the largest data breach in internet history, threatening the digital safety of individuals, corporations, and government organisations alike.
What’s the Case About?
According to recent reports, more than 16 billion login credentials are up for sale on dark web marketplaces. This data has been stolen through infostealer malware and other cyberattacks that silently collect passwords, session cookies, and private information from users’ devices.
The affected platforms include
- Tech and social media giants: Google, Apple, Facebook, Instagram, Telegram
- Other services: GitHub, VPNs, government and private portals
- Nature of data: Usernames, passwords, mobile numbers, and in some cases, credit card details
CERT-IN has termed this threat as highly severe in its advisory CTAD-2025-0024. The leak involves both recent and historic data and is being sold at low prices, making it easily accessible to cybercriminals.
Scale of the Threat
The magnitude of this breach makes it the most significant cyber intrusion in internet history. With approximately 5.5 billion internet users globally, the presence of 16 billion leaked credentials indicates that multiple accounts per user may have been compromised.
Key Risks
- Identity Theft: Criminals can create fake accounts or conduct fraud in your name using the stolen data.
- Banking Fraud: Leaked credentials can provide hackers access to bank accounts, UPI, or e-wallets for unauthorised transactions.
- Phishing Attacks: Fraudsters may use fake emails and websites to trick users into revealing OTPs or credit card details.
- Social Media Misuse: Malicious posts, messages, or deletions from compromised accounts can damage one’s social and professional reputation.
- Institutional Threats: Credentials of government and corporate portals are also leaked, posing risks to national security and enterprise data.
Cybersecurity researchers have found that the leaked data is distributed across 30 structured datasets, each containing millions to 3.5 billion records, making it alarmingly efficient for organised cybercrime.
CERT-IN Recommendations: How to Protect Your Digital Security
CERT-IN has outlined urgent steps for both individuals and organisations to secure their digital identities. The table below summarises the key recommendations and their significance:
| Action | Why It Matters | Immediate Step |
|---|---|---|
| Change passwords immediately | Prevent misuse of leaked data | Set new, unique passwords on all major accounts (Google, Apple, Facebook, Telegram, etc.) |
| Use strong passwords | Protect against brute-force attacks | At least 12 characters including uppercase, lowercase, numbers, and special symbols (e.g., Tr0ub!e2025) |
| Enable Two-Factor Authentication (2FA) | Adds an extra layer of security | Use Google Authenticator, Microsoft Authenticator, or SMS-OTP |
| Avoid suspicious links/emails | Prevent phishing attacks | Don’t open unknown email attachments; verify website URLs before clicking |
| Use a password manager | Manage unique passwords securely | Opt for trusted services like Bitwarden, 1Password, or Google Password Manager |
Additional Precautions:
- Device Updates: Regularly update OS, apps, and browsers to patch security vulnerabilities.
- Anti-Virus Software: Use reputed antivirus tools like Norton, McAfee, or Kaspersky and run regular scans.
- Passkeys: Adopt passkey technology introduced by Google and Apple, offering phishing-proof login through biometric authentication (fingerprint or Face ID).
Expert Opinions
Cybersecurity professionals have termed this breach “unprecedented” and “devastating.” According to Keeper Security, this may be the largest data leak in internet history.
Key insights:
- Infostealer Malware: A major portion of the breach stems from malware that silently collects user data.
- Fresh Data: The leak includes recently breached data from 2025, not just old republished records.
- Organised Crime: The breach is categorised in structured datasets, simplifying exploitation for criminals.
- Low Cost: The data is available at low prices on the dark web, putting it within reach of even amateur hackers.
How to Check if Your Data is Leaked
It’s vital to determine whether your data is part of this breach. Here’s how to check:
- Visit HaveIBeenPwned.com: Enter your email or phone number to see if it has been compromised in any known breach.
- Monitor Account Activity: Watch for suspicious login notifications or unusual account behaviour.
- Review Bank Statements: Regularly check your financial records to detect any unauthorised transactions.
Impact on Companies and Governments
This leak doesn’t just affect individuals. Credentials of several corporate and government portals have also been compromised, raising concerns over national and organisational cybersecurity.
CERT-IN advises organisations to:
- Review Access Controls: Ensure only authorised users can access sensitive systems.
- Encrypt Data: Secure all data through encryption to limit misuse in case of leakage.
- Deploy Security Systems: Use tools like Intrusion Detection Systems (IDS) and SIEM to monitor threats.
Passkeys: The Future of Secure Login
Given the vulnerabilities of traditional passwords, Google and Apple are pushing for a shift to passkeys, a passwordless authentication method based on cryptographic keys and biometrics. Passkeys offer enhanced security by eliminating phishing risks and are already available in major platforms. Users are advised to enable passkey login in their account settings for better protection.
If Your Data Has Been Leaked, Do This:
- Reset Passwords: Immediately create strong passwords for all affected accounts.
- Activate 2FA: Enable two-factor authentication wherever available.
- Report Suspicious Activity: Notify the respective platform if you notice unusual activity.
- Monitor Credit: Keep an eye on your credit report for fraud indicators.
- Take Legal Steps: If your identity is misused, call 1930 or file a complaint at cybercrime.gov.in.
Cybersecurity in India: A Rising Concern
India has witnessed a sharp rise in cyberattacks, with a 15% increase reported in 2024. This breach further exposes the vulnerabilities in a country heavily dependent on digital payments and online services.
India-Specific Tips:
- Secure UPI and Banking: Use 2FA and biometric authentication on financial apps.
- Cyber Crime Helpline: Call 1930 for cybercrime assistance.
- Awareness: Educate family and peers about basic cyber hygiene.
Secure Your Digital Identity Today
The leak of 16 billion passwords has shaken global digital security foundations. Following CERT-IN’s guidance and expert advice, users must act promptly — change passwords, enable 2FA, and adopt modern technologies like passkeys. Vigilance remains the strongest defence in this growing cyber threat landscape.
Disclaimer: This article is for informational purposes only. Please refer to official advisories and CERT-IN guidelines for actions related to cybersecurity.
Also Read
Veo 3 Launches in India: Create AI Vlogs with Monkeys or Historical Characters
