16 Billion Credentials Leaked: The Infostealer Epidemic

The largest credential breach in history exposed 16 billion credentials from infostealers. Session tokens, not just passwords, are changing the game for attackers.

Dédalo Team Security
· 4 min read
#security#breach#credentials#malware

June 2025 brought what researchers are calling the largest credential breach in history. Not 16 million. Sixteen billion credentials—usernames, passwords, session tokens, and browser cookies—spread across 30 separate datasets.

But the real story isn’t the number. It’s the source.

Fresh Data, Not Recycled Breaches

Previous mega-leaks often contained recycled data: old breaches repackaged and resold. This one is different. The credentials came directly from infostealer malware running on infected endpoints around the world.

Infostealers are specialized malware designed to harvest everything valuable from a compromised system: browser-stored passwords, autofill data, session cookies, cryptocurrency wallets, and authentication tokens. Popular families include RedLine, Raccoon, Vidar, and Lumma.

The harvested data was linked to major platforms: Facebook, Google, Apple, GitHub, Telegram, and many others. For organizations, this means employees’ personal and work accounts may both be compromised—especially if they used the same device or browser for both.

Why Session Tokens Change the Game

Passwords are bad. Session tokens are worse.

A stolen password can be blocked by MFA. A stolen session token bypasses authentication entirely. If an attacker has a valid session cookie from your browser, they can import it into their own browser and continue your session as if they were you.

No password prompt. No MFA challenge. Just access.

This is particularly dangerous for cloud consoles, SSO portals, and SaaS admin panels. A compromised session to AWS, Azure, or Google Cloud can lead to full infrastructure takeover within minutes.

How Infostealers Spread

The infection vectors are predictable but effective:

  • Cracked software and key generators: The most common vector. Users download pirated software that bundles a stealer
  • Phishing emails with malicious attachments: Often disguised as invoices, shipping notifications, or job applications
  • Malicious ads (malvertising): Fake download links on search results pages
  • Compromised websites: Drive-by downloads from legitimate sites that have been hacked

Corporate endpoints get infected too. Remote workers using personal devices, employees downloading tools outside of IT control, or contractors with minimal security oversight—all create opportunities.

The Aggregation Problem

Individual infections might seem minor. One person’s credentials? Limited impact.

But infostealers feed into a massive underground economy. Operators sell stolen data in bulk. Buyers aggregate datasets across thousands of victims. The result is a database like the one exposed in June: 16 billion credentials, organized and searchable.

Attackers use this data for:

  • Credential stuffing attacks against corporate systems
  • Account takeover on banking, email, and social media
  • Initial access for ransomware operations
  • Business email compromise (BEC) campaigns

Checklist: Immediate Actions

  • Check your organization’s domains against breach monitoring services (Have I Been Pwned, SpyCloud, etc.)
  • Enforce MFA on all accounts, prioritizing cloud consoles and admin portals
  • Review endpoint detection and response (EDR) coverage for infostealer families
  • Rotate session tokens and API keys for privileged accounts
  • Audit browser extension policies—infostealers often arrive as malicious extensions
  • Block known infostealer C2 domains at the firewall/DNS level
  • Remind users: pirated software and “free” tools have hidden costs

Beyond Password Hygiene

Password managers and MFA are still essential. But they’re not sufficient against session theft.

Organizations should consider:

  • Token binding: Tying sessions to specific devices or IPs where feasible
  • Short session lifetimes: Forcing re-authentication more frequently for sensitive systems
  • Behavioral analytics: Detecting anomalous session activity (new geography, new device, unusual hours)
  • Device trust policies: Blocking access from unmanaged or non-compliant devices

The shift from password-based attacks to token-based attacks requires a matching shift in defensive posture.

At Dédalo, we help organizations assess credential exposure and implement detection controls for identity-based attacks. If you need a credential audit or want to improve your token security posture, reach out.