02 July 2025

Late in June, many of us witnessed the breaking news story: 16 billion credentials leaked online in ‘the mother of all data breaches.’

Researchers from an online cybersecurity news site said that they had found 30 datasets full of credentials harvested from infostealers and leaks. The datasets were exposed only temporarily through unsecured Elasticsearch or object storage instances.

However, multiple incident response specialists, researchers and cybersecurity experts have since disputed those claims and questioned the data and analysis the assertion was based upon. Moreover, industry experts have reported that by comparing released sample data against previous credential leaks, it becomes clear that most of these credentials were from previously released password dumps.

Accordingly, strong warnings have emerged from industry that misinformation or embellishment can be a disservice, drawing attention away from verified attacks and new weaknesses as they are exposed.

Kev Eley, VP UK&I at Exabeam, warns that “the recent hype around the ‘16 billion password breach’ is a prime example of how exaggerated cybersecurity narratives can do more harm than good. Not only is there little evidence to support the claim, but repeated focus around massive leaks can also cause companies to view attacks as noise rather than real threats. When there’s such a big focus on these large numbers, attention shifts away from real attacks that cause real damage to businesses – like phishing or ransomware threats. To break this cycle, organisations need to build response plans that rely on facts, not fear.”

“A majority of the data in the ‘16 billion password breach’ appear to be old or previously disclosed compromises, causing some to call the various media reports nothing more than fear mongering,” agrees Mike Puglia, General Manager – Security Products, Kaseya. However, “while the headlines may be fantastical, we should not underestimate the immense value of aggregating thousands of siloed breaches into a single set of data and having that information exposed to the entirety of the malicious actor community in one release. Even if the majority of passwords are no longer valid, on average over one million will still ‘work’. Perhaps more importantly, it gives an extremely large data set for attackers to leverage AI enhanced phishing emails with extreme personalisation.”

As such, James Shank, Director of Threat Operations at Expel, says that “if this news frightens you, then your security program probably has some fundamental gaps. Let this be the fuel you need to position yourself and your department for solving the problem systematically, rather than defending against the news du jour. There will always be another breach, with even more passwords, and emergency handling will continue if you don’t have systematic defenses in place.”

In the wake of the incident, experts are keen to highlight the pervasiveness of infostealer malware, as well as how enterprises should protect against this type of attack. The fact that someone was able to compile 16 billion records from old – sometimes years old – breaches, shows how big the problem is.

“We’ve seen recent attacks where sensitive, regulated data was stolen — raising serious concerns about fines and loss of trust. It’s not just about having backups anymore,” notes Charles Burger, Director of Cybersecurity Solutions, Nexsan. “Organisations need immutable storage with detailed access logs to really protect their most valuable data. If credentials are compromised, being able to see exactly what was accessed, by whom, and from where is critical to respond quickly and limit the damage.” n