Structure of 16-Billion Record Data Leak Revealed: 30 Databases, Largest One from Portugal; Includes Russian and Telegram-Linked Bases
Info-stealers are to blame; the databases are updated every few weeks.
Cybernews researchers have revealed new details about a massive data leak involving approximately 16 billion compromised accounts. First reported a few days ago, the story has now taken a new turn as analysts continue to dissect the vast trove of leaked information and warn of its alarming implications.
According to researchers, the data leak comprises not a single dataset, but thirty separate databases, each containing from tens of millions to several billion records. The largest one reportedly includes over 3.5 billion entries, likely tied to the Portuguese-speaking segment of the internet. On average, each database holds about 550 million records. While many entries overlap, the combined scope represents an unprecedented volume of information, most of which has never been previously published.
The leaked data was primarily harvested using infostealers — malicious programs that steal logins, passwords, session tokens, cookies, and other sensitive data. Sample entries show a wide range of platforms involved: from Google, Apple, and Facebook to Telegram, Zoom, Twitch, and even government services. Logs typically include a URL, login, and password — a structure consistent with modern info-stealers.
Researcher Bob Diachenko, who participated in the analysis, emphasizes that no major companies like Google or Facebook were directly breached. Instead, credentials to their services were stolen from infected end-user devices. This means the users themselves were compromised, not the companies.
What’s particularly concerning is the freshness of the records. Researchers confirm that this isn’t old "data archaeology" — these are fresh logs from the past few months, indicating active and widespread use of infostealers in the wild. New giant databases are emerging every few weeks, showing a growing trend of data aggregation and monetization.
Many of these databases were accessible via misconfigured Elasticsearch instances or public cloud storage, allowing researchers to quickly detect them — though the actual source of the leaks remains unknown. Some datasets may have been compiled by researchers or threat monitoring firms, but it's likely that a significant portion belongs to criminal groups.
According to researcher Aras Nazarovas, there is a noticeable shift in cybercriminal behavior. While Telegram channels were previously popular for log distribution, criminals are now moving to centralized infrastructures that offer more stable access to data. This makes protection more difficult, especially in environments lacking multi-factor authentication (MFA) and regular password rotation.
Some database names clearly hint at geographical or service origins. For instance, one dataset references the Russian Federation, and another mentions Telegram. However, such labels shouldn’t be taken at face value — they may serve as decoys or provide indirect clues at best.
Particularly dangerous are logs containing not just credentials but active tokens and cookies. Some services do not invalidate cookies even after a password change, allowing attackers to retain access. In such cases, simply changing your password may not be enough. Researchers recommend checking for infostealer traces, resetting active sessions, and enabling two-factor authentication wherever possible.
The leak, dubbed “GOAT” (Greatest Of All Time), has attracted significant attention — and confusion. Some media outlets incorrectly reported a direct breach of Google, Facebook, and Apple, which is not true. This leak involves stolen user credentials related to these services, not breaches of the companies’ infrastructure.
As proof, Cybernews published screenshots showing login pages and credentials from major online platforms, all discovered in previously unreported open databases.
The researchers stress that the scale and impact of the leak remain uncertain. Even if only a small fraction of the logins are still valid, tens of millions of accounts could be at risk. To reduce exposure, experts recommend using password managers, enabling MFA, and changing passwords regularly. Since this is just one wave of leaks, and more databases are expected, the situation could be far worse than it appears.
