[Analysis] 16 billion passwords leaked – how much is recycled data? 

Researchers recently uncovered a (seemingly) unprecedented aggregation of roughly 16 billion username–password pairs. However, there’s been some debate around how much of this is recycled data versus new. Similarly to the Rockyou2024 password list and ALIENTXTBASE data dump, our own analysts have found that this 16 billion passwords leak isn’t as concerning as initial headlines suggested. Having said that, this is still a noteworthy password list and organizations should remain wary of the risk of breached credentials.  

Darren James, Specops Senior Product Manager, said: “We continuously check our customers’ users’ passwords to see if they’ve become breached against our constantly updated database. While our analysis suggests many of these passwords are existing breached credentials, this incident underscores the ease with which attackers can amass vast libraries of credentials for automated attacks. 

“Although this credential data was only available briefly, our customers can rest assured that our live attack data from our honeypots system and threat intelligence platform will continue to capture stolen credentials and constantly feed them into our Breached Password database, providing ongoing protection against breaches. We’ve got them covered.” 

How was the leak discovered?

Cybernews’ security team uncovered the leak as part of an ongoing investigation that began in January 2025. By actively scanning public-facing cloud storage and misconfigured Elasticsearch/Object Storage instances, they identified 30 unsecured databases (briefly exposed online) that together held the roughly 16 billion username–password pairs.

In a quote, Cybernews researchers said: “This is not just a leak – it’s a blueprint for mass exploitation. With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing. What’s especially concerning is the structure and recency of these datasets – these aren’t just old breaches being recycled. This is fresh, weaponizable intelligence at scale.

“The only silver lining here is that all of the datasets were exposed only briefly: long enough for researchers to uncover them, but not long enough to find who was controlling vast amounts of data. Most of the datasets were temporarily accessible through unsecured Elasticsearch or object storage instances.”

However, our analysts have taken a different view, and believe a large proportion of the credentials have been previously leaked.

Specops analysis: How many of these credentials are new?

Analysis from KrakenLabs (threat intelligence team of Outpost24, Specops’ parent company) suggests we should be cautious about treating this leak as newly breached credentials. Some headlines have claimed “16B credentials were exposed” in a new infostealer leak, but it’s more like a compilation of 30 separate datasets found in unsecured Elastic/Object Storage instances. These datasets might not necessarily belong to any C2 or criminal infrastructure.

Based on KrakenLabs’ investigation, the credentials were already circulating in Telegram channels and underground forums long before this report. They identified for example, that one of the index names listed in the exposed Elastic instances match those used by the OHCTI! Threat Exposure project — an open-source initiative that monitors Telegram and indexes leaked credentials to be searchable via a bot. In other words, this is not a breach, it’s a year-long accumulation of already leaked credentials, scraped by automated tools.

KrakenLabs continuously monitor Telegram channels in real time, alerting on leaked credentials as they appear. However, we should note it’s possible that not all the info contained in this leak is old. The original owners of the databases could have obtained some info scraping a Telegram channel recently with fresh credentials. It’s possible that Specops/Outpost24 (or even Have I Been Pwned) do not have the complete database they leaked because, for example, they scrapped a Telegram channel that we do not yet follow.

How should organizations respond?

While we don’t believe there is specific reason to be concerned about this leak, there are certain best practices organizations should be following regardless. By combining robust monitoring and strategic hardening, organizations can reduce their risk of being exposed by both this leak and future ones.

• Enhanced logging & SIEM correlation: Ensure all authentication attempts are logged centrally. Monitor for patterns of reused credentials or mass-login failures, and feed into your SIEM for rapid alerting.
• Ongoing user education: Launch simulated phishing campaigns to reinforce best practices. Provide clear guidance on recognizing social-engineering tactics and reporting suspicious activity.
• Harden your Active Directory passwords: Enforce strong, unique passwords (minimum 15 character passphrases with a mix of letters, numbers, and symbols). Need a quick view of how many end users have weak or compromised passwords? Run a read-only scan with our free tool: Specops Password Auditor.
• Mandatory multi-factor authentication (MFA): Roll out MFA across all user and administrative logins – ideally with a tool such as Specops Secure Access that includes phishing-resistant authentication mechanisms.
• Scan for compromised passwords: Cross-reference your user database against leaked credential feeds to identify impacted accounts. You can then force a password reset for any account with passwords flagged as compromised. Not got a tool that can continuously scan for breached passwords? Specops Password Policy’s list of over 4 billion unique breached passwords gets updated every day – and your Active Directory is continuously scanned against it. Book a Specops Password Policy live demo today.