The State of Cybersecurity News…¶
Note
Thankfully, it looks like most of the mentioned news outlets are updating with the real information regarding this incident. That does not undo the panic and fear it has already caused.
If you are in any way involved in cybersecurity, you’ve probably heard of this massive 16 billion credential leak.
Here’s the crazy part… the headlines are misleading at best, and fearmongering at worst.
All of these credentials have been leaked before, we dont even have evidence any of these credentials are from Apple, Google or Facebook.
But then why are Newsweek, NYPost, Forbes and many other news articles telling me they are “fresh” leaks?
Because reporting incidents in cybersecurity… sucks right now. (And it is somehow worse on LinkedIn — but that’s a post for a different day…)
The Real Story¶
Bleeping Computer recently released a blog post clearing up the confusion. In this article, they state that these credentials “were likely circulating for some time,” going even further to say that some of this information has potentially been out for years.
All of the companies claimed to be listed in this leak were not involved in recent breaches. The companies mentioned include:
Apple
Google
Various VPN providers
With new information on this “leak” surfacing, Cybernews stated that these datasets contained logs stored in formats very similar to those used by common infostealers and other kinds of malware.
Where Did the Data Come From?¶
So… if all of this data is old, then where did it come from?
As far as we know, it looks like around 30 major recent breaches were compiled into a single database. According to Cybernews they have discovered “30 exposed datasets”, with “tens of millions to 3.5 billion records each”. Cybernews also claims that most of the headlines claming Google, Facebook and Apple leaks are “somewhat inaccurate”.
Cybernews has added various screenshots giving evidence of the datasets existence, the link for the article is in the above hyperlink.
My Take¶
I personally think it’s concerning how quickly major news outlets will pick up and run with completely misleading stories. It’s borderline fearmongering to tell the public that 16 BILLION credentials were just stolen. This is lazy reporting — and it needs to be addressed.
While this is still a major incident in the cybersecurity space it is important to remember that thsi breach was not centralized through a single company.
Sources¶
Bleeping Computer: https://bleepingcomputer.com/news/security/no-the-16-billion-credentials-leak-is-not-a-new-data-breach
Newsweek: https://www.newsweek.com/16-billion-logins-stolen-data-breach-apple-facebooks-google-2088231
NYPost: https://nypost.com/2025/06/20/tech/16-billion-google-apple-other-passwords-leaked-what-to-know/
Note
asrch2 will be out by the end of the year with limited access, stay tuned for some posts (and maybe even a book on LAN attacks!)