No, 16 billion passwords didn't just get exposed in a mega-hack, but you should get with the program

Looks like hackers are trying to flog a fresh batch of user passwords on the web, again. Or are they? A recent report has been rotating around the web claiming that 16 billion passwords are up for grabs following a "record-breaking data breach", though many cybersecurity experts argue it's not what it seems.

The original report comes from , an outlet that previously claimed to have knowledge of a breach of , and just before that. Woah, that suggests password breaches in excess of billions happen all the time… or do they?

Turns out, what's likely happening here is that someone is putting together one Very Big File including the many data breaches that have occurred in the past. That is, it's not a new data breach; it's a collection of previous ones, known as a package or simply a collection. In this case, this may not even be a single collection: the researcher behind it, Bob Diachenko, , bound together to get to that 16 billion figure. That's the 'breach' that Cybernews is reporting—less of a breach, more of a compilation of breaches from the past however many years. Now That's What I Call Breaches.

Here are well-known malware and cybersecurity experts, vx-underground, on the new package:

Here's another account with a similar note:

Vx-underground makes another good point: if this many passwords had indeed been breached, why aren't any of the companies affected talking about it? And why didn't they talk about the last breach of 26 billion accounts or the billions before that?

According to some reports, Apple, Google, and Facebook have all been included in this breach, and yet these companies remain notably silent on the matter. Looking across various social media platforms, it seems the only people talking about it are other news outlets and a litany of verified accounts on X pushing conspiracy theories about perceived government backdoors being supposedly to blame.

But [[link]] is there anyone or anything to blame here, beyond poor cybersecurity practices over the past few decades? This collection likely came about from a gradual process of hacks occurring over a very long period of time through various channels, using a range of attacks, schemes, and tools.

. They claim there's no evidence of a mass infection that could lead to any number of computers being breached to reach this 16 billion figure. They also claim the package is likely filled with recycled or even fabricated data. Essentially, they're saying the same thing as vx-underground.

A great way to check your own [[link]] login details and for any recent breaches is by visiting . The last breach noted by the site was the Ualabee breach in May 2025, noted in June, containing over 450,000 records from the South American mobility services platform Ualabee. There have been no billions of passwords added to haveibeenpwned's page in recent days.

The largest breach noted by haveibeenpwned is actually a collection of passwords from many sources called Collection #1, which was posted in early 2019. Yep, the same sort of collection as seen here.

So, yes, it's fair to say the language does get a bit fuzzy around what's a data 'breach' and what's not, but a collection of old and likely outdated data poses a significantly reduced risk to a new breach [[link]] exposing up-to-date information and targeted at a single platform or database. Also note that the 26 billion password breach suggested by Cybernews in 2024 isn't logged in the list.

So, should you be worried about your passwords? Well, yes and (a little bit) no. This might not be a new breach of massive proportions as claimed, but it's still a good warning of the dangers of poor cybersecurity practices. If you rely on a single password for multiple websites, you're increasing your risk of theft, fraud, or even identity theft. Grab yourself a password manager—there are many good options, but I'd recommend or from my own experiences with them—and turn on two-factor authentication where possible (2FA).

And don't let me see you use any of the popular passwords noted in , including '123456' and 'password'.

Using a single password for everything was very much my MO when I was a kid, but luckily I lived to see another day, set another password, and with my Runescape account safe. Sadly, I did lose my Adventure Quest login to hackers… don't let those b******s get yours.

Best PC build 2025

👉👈

1. Best CPU:

2. Best motherboard:

3. Best RAM:

4. Best SSD:

5. Best graphics card: or (whichever is cheaper)