16 Billion Passwords Leaked: What Australians Must Do Right Now

Cybersecurity researchers have confirmed the world's largest-ever credential dump — 16 billion stolen logins spread across 30 databases, harvested by infostealer malware from real devices around the globe. Australian government portals, banking logins, and everyday consumer accounts are all in the dataset. Here is what happened, why this leak is different from every previous one, and exactly what you need to do to protect yourself today.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

The Biggest Credential Leak in History — By a Wide Margin

When the Cybernews research team published their findings confirming a 16-billion-record credential dump circulating across underground forums, the cybersecurity community reacted with alarm — and for good reason. Previous record-holding leaks — including the infamous Collections #1–#5 series — had peaked at around 10 billion records. This new dataset dwarfs them all.

The trove comprises 30 separate databases, ranging from tens of millions of entries to a single dataset containing 3.5 billion records alone. Another is named after Telegram and contains approximately 60 million entries. One of the largest individual collections is linked to a Portuguese-speaking user population, suggesting the data was harvested by criminal operations with a broad geographic reach — not confined to any one country or region.

What makes this particularly significant for Australian users is the scope of services represented. The researchers found credentials for Apple, Google, Facebook, GitHub, LinkedIn, Telegram, and numerous government and banking portals. If you have ever created an account for a major online service — and in 2026, who hasn't — your credentials may be in this database.

Why This Leak Is Different: Infostealers, Not Just Old Breaches

In previous mass credential dumps, the data was largely recycled: old breach lists, credential stuffing compilations, and repackaged material that security teams had already been monitoring. Analysts would review the fresh release and often find it was 70–80% known data.

This leak is fundamentally different because a substantial portion of the 16 billion records originates directly from infostealer malware logs — and those records are alarmingly fresh.

How Infostealer Malware Works

An infostealer is a type of malicious software designed specifically to harvest saved credentials, browser sessions, and authentication data from an infected device. Unlike ransomware — which announces itself loudly by encrypting your files — an infostealer is engineered for silence. It installs itself quietly, often through a malicious email attachment, a fake software download, a cracked game or application, or a drive-by browser exploit. Once active, it systematically plunders everything your browser has saved: usernames, passwords, autofill data, credit card details, and critically in this case, active session tokens and authentication cookies.

Session tokens are the invisible keys that keep you logged in to websites after you have authenticated. If an attacker steals your session token, they do not need your password at all — they can simply load the token into their own browser and access your account as if they were you, bypassing two-factor authentication entirely. This is what separates infostealer logs from older breach compilations: the data is not just historical; much of it represents accounts that are actively accessible right now.

The most prolific infostealer families currently in operation include Redline, Vidar, RisePro, Lumma, and StealC. Many are sold as "malware-as-a-service" subscriptions on criminal forums, meaning even low-skilled operators can deploy them for a monthly fee and receive organised, searchable logs of stolen data.

The Australian Dimension: Government Portals and Local Services in the Dataset

For Australians, this is not an abstract global problem. The Cybernews researchers confirmed that the 16 billion records include credentials for government platforms — and Australia operates several large-scale citizen-facing portals including myGov, the ATO online portal, and state government service hubs. These platforms hold tax records, welfare payment data, healthcare information, and identity verification documents. A compromised myGov account could expose a person's entire relationship with the Australian government in a single breach event.

Beyond government systems, Australian banking and financial services platforms are well-represented in infostealer logs globally. The major four banks, superannuation portals, and buy-now-pay-later services are all high-value targets for infostealer operators because financial account credentials can be converted into direct monetary losses faster than credentials for social media or email services.

The Australian Cyber Security Centre (ACSC) has previously warned that infostealer infections are a growing vector for initial access to both consumer and enterprise networks. Once a single device in an organisation is compromised by infostealer malware, the stolen credentials can give attackers a foothold into corporate VPNs, cloud platforms, and internal systems — turning what began as consumer malware into a significant business security incident.

Credential Reuse: The Force Multiplier That Makes This Catastrophic

The 16 billion records alone would be concerning enough. But the practice of password reuse transforms this leak from a significant incident into a potential cascade failure across the internet.

Research consistently shows that between 50% and 65% of people reuse the same password — or minor variations of the same password — across multiple online accounts. In practical terms, this means that a single credential harvested from one compromised device or one breached service can potentially unlock dozens of other accounts belonging to the same person.

Attackers know this, and they exploit it systematically through a technique called credential stuffing: taking a batch of known username-and-password combinations and automatically testing them against high-value targets like banking portals, e-commerce sites, and email services. The process is fully automated and can test millions of combinations per hour using cloud computing resources that cost relatively little to hire.

If you use the same password for your email as you do for your bank, and your email credentials appear in this dump, your bank account may be the next thing compromised — even though your bank was never breached directly.

What to Do Right Now: A Practical Action Plan for Australians

1. Assume Your Credentials Are Compromised

Given the scale of this leak — 16 billion records from services used by virtually every person with an internet connection — the safest assumption is that at least one set of your credentials is in this dataset. Treat this as a fact, not a remote possibility, and act accordingly. The ACSC's Have I Been Pwned integration at cyber.gov.au allows Australians to check whether their email addresses appear in known breach datasets. Use it.

2. Stop Reusing Passwords — Immediately and Permanently

This is the single most impactful action you can take. Every account you hold should have a completely unique, randomly generated password that you have never used anywhere else. The only practical way to achieve this at scale is with a dedicated password manager.

NordPass is built by the same team as NordVPN and offers end-to-end encrypted storage for unlimited passwords, secure notes, and credit card details. Its built-in password health feature audits your existing passwords and flags any that are weak, reused, or known to appear in breach databases — giving you a prioritised list of accounts to fix first. The password generator creates cryptographically random passwords of any length and complexity with a single click, and autofill handles the friction of using unique credentials on every site.

Switching to a password manager is a one-time effort with permanent, compounding security benefits. Once every account has a unique password, a credential leak anywhere on the internet can only ever expose one account — not your entire digital life.

3. Revoke Active Sessions on Your Most Sensitive Accounts

Because this leak contains stolen session tokens and authentication cookies — not just passwords — changing your password alone may not be sufficient for accounts that were actively targeted by infostealer malware. Most major platforms (Google, Apple, Facebook, your bank) allow you to view and terminate all active login sessions from your account security settings. Log in to each high-value account and force-sign-out all other active sessions. This invalidates any stolen session tokens an attacker may be holding.

4. Enable Two-Factor Authentication on Every Account That Offers It

Two-factor authentication adds a second layer that stolen passwords alone cannot bypass. Use an authenticator app — Google Authenticator, Authy, or the built-in authenticator in NordPass — rather than SMS-based codes where possible. SMS 2FA is better than no 2FA, but it is vulnerable to SIM-swapping attacks, which remain a persistent problem in Australia. Authenticator apps generate codes locally on your device and cannot be intercepted through your mobile carrier.

5. Protect the Device Itself — Not Just the Accounts

Changing passwords treats the symptom. The root cause is that infostealer malware infects real devices and harvests credentials directly from them. To prevent reinfection, you need to address how the malware gets onto devices in the first place.

Common infostealer delivery methods include phishing emails with malicious attachments, fake software installers (especially pirated applications and games), malicious browser extensions, and compromised download links distributed through social media. Keeping your operating system and all applications fully updated closes the vulnerability windows that drive-by browser exploits rely on. Avoid downloading software from unofficial sources. Be deeply sceptical of any unsolicited email or message that asks you to open an attachment or click a link.

6. Use a VPN on All Networks — Especially Public Wi-Fi

While a VPN alone cannot stop infostealer malware that is already installed on a device, it meaningfully reduces your exposure during the initial compromise phase and protects the transmission of credentials from being intercepted on unsecured networks.

Many infostealer infections originate from phishing pages or malicious downloads that are served over unencrypted HTTP connections or from domains that are newly registered and lack HTTPS certificates. A quality VPN encrypts all traffic between your device and the wider internet, making man-in-the-middle attacks on public Wi-Fi networks — at cafés, airports, hotels, and shopping centres — effectively impossible for casual attackers.

NordVPN includes a feature called Threat Protection, which actively blocks connections to known malware distribution domains, phishing sites, and intrusive trackers before your browser even makes the connection. This provides a meaningful layer of defence against the web-based delivery mechanisms that infostealer campaigns rely on. With servers across Australia and over 111 countries, it also ensures you have fast, local server options whether you are in Sydney, Melbourne, or Brisbane, without sacrificing connection speed for security.

For users who want an alternative option, Surfshark offers similar malware-blocking capabilities through its CleanWeb feature and covers unlimited devices simultaneously — useful for households with multiple phones, tablets, and laptops that all need protection.

What This Leak Tells Us About the Infostealer Economy

The scale of the 16 billion record dump is extraordinary, but the underlying trend it represents has been building for years. Infostealer malware has become one of the most commercially successful segments of the criminal software market precisely because it produces immediately monetisable output — credentials that can be sold, used for direct account takeover, or leveraged to gain initial access into corporate networks.

Security researchers at F5 Labs note that unlike traditional breach data — which degrades in value as organisations force password resets in response to disclosure — infostealer logs retain their value for longer because they include session tokens and other authentication artefacts that are not reset when a user changes their password on the associated site. This makes fresh infostealer logs disproportionately valuable on criminal markets, commanding prices that continue to incentivise the development and deployment of new malware families.

The Australian signals intelligence community — through the Australian Signals Directorate and the ACSC — has flagged the infostealer-to-initial-access pipeline as a growing threat to both government and critical infrastructure organisations. When an employee's personal device is infected with infostealer malware, their saved corporate VPN credentials, cloud platform logins, and internal tool passwords are harvested alongside their personal banking and social media data. The line between personal and professional compromise has effectively disappeared.

The Responsibility of Organisations: It Is Not Just Personal

While individuals can take the steps outlined above to protect their own accounts, this leak also carries significant implications for Australian businesses and government agencies. Stolen employee credentials are one of the most common paths to initial network access in cyber incidents investigated by the ASD. Every organisation that relies on passwords — which is every organisation — should be reviewing its authentication security posture in response to this disclosure.

At minimum, organisations should be cross-referencing their corporate email domains against available breach monitoring services, enforcing multi-factor authentication for all remote access systems, and considering whether their VPN access credentials may be among the billions of records now circulating in criminal markets. For website operators concerned about their platforms being targeted by credential stuffing attacks, a web application firewall with bot detection capabilities — such as those offered by Sucuri — can detect and block automated login attempts before they succeed.

The Bottom Line for Australians

The 16 billion record credential leak is not a distant problem happening to someone else in another country. Australian accounts are confirmed to be in the dataset. The infostealer malware that generated much of this data is actively circulating right now, infecting new devices every day. And credential stuffing tools that can turn this data into account takeovers are available for hire to anyone with a modest criminal budget.

The good news is that the protective steps are clear, they work, and they are accessible to anyone. Stop reusing passwords. Use a password manager. Enable two-factor authentication everywhere. Revoke active sessions on your most sensitive accounts. Use a VPN that blocks malicious domains on any network you don't fully control. These actions, taken together, transform you from a soft target into one that most automated attacks will simply pass over in search of easier victims.

In 2026, security is not about achieving perfect immunity — it is about being meaningfully harder to compromise than the next person. The 16 billion record dump has put billions of people at elevated risk. The Australians who act on this information today will be the ones who do not face an account takeover tomorrow.