TORONTO — A Lithuanian cybersecurity news outlet says it uncovered a leak of 16 billion passwords that may grant access to Apple, Google, Facebook accounts and more.
Cybernews warns the data is "a blueprint for mass exploitation" because it could give cybercriminals unprecedented access to information that can be used for account takeovers, identity theft and highly targeted attacks.
Here's what we know about the leak so far and how people can protect themselves from its repercussions.
What do we know about the leak?
Cybersecurity experts are strongly speculating that the data was leaked through infostealers, said Robert Falzon, head of engineering at security software firm Check Point.
Infostealers are pieces of malware users are duped into clicking on, which then install something on their computer, "which just kind of sits and listens to the computer while you're typing things from the keyboard."
The malware can detect when you're logging into an account and can copy whatever you've input to send it to a database of credentials hackers compile.
"As a result of that, we end up with these giant repositories on the dark net filled with lists and lists and lists of usernames and passwords and credentials that have been stolen from users all around the world and that are being bought and sold as commodities," Falzon said.
Is all this leaked data new?
That's up for debate. Cybernews says "the data is recent, not merely recycled from old breaches," but others disagree.
"It's really hard to track the providence of all of it," Falzon said, because some hackers package data together from several leaks to resell.
The only way to figure out how new it is would be to obtain other leaks and cross compare the data.
Why is it worrisome?
“If hackers manage to get their hands on your password for Google, Apple, or Facebook, stealing your money and identity may be easier than taking candy from a three-year-old," Ignas Valancius, head of engineering at cybersecurity company NordPass, said in a press release.
That's because hackers use the logins they obtain for credential stuffing — a practice where criminals get access to accounts by inputting stolen login information into websites.
If you reuse your passwords across several websites or services, it may mean a hacker can get into your bank account and steal money, your favourite retailer accounts and drain you of your loyalty points or even find your address and birthday and use it for identity theft, Falzon said.
How can I find out if my data was in the breach?
Figuring out if you've been a victim of the breach would take obtaining the data and searching through it for your credentials.
Because only an "extreme minority" of people have never been breached in general, Falzon said you're always best off assuming your info is part of the leak.
What can Canadians do to protect themselves?
Cybersecurity experts are unanimous in advising people to change their passwords regularly, especially after leaks to avoid becoming the victim of credential stuffing.
But long before a breach happens, they say there are several things people can do to protect themselves.
The most obvious is varying your passwords and avoiding reusing them. When you recycle passwords across several websites or services or make them easy to guess, it means hackers won't have much of a struggle accessing many of your accounts.
Multifactor authentication can also offer a layer of security. When someone attempts to login to an account, it forces them to enter a code sent by email or text before they can get access. The process helps users thwart hacking attempts.
I have so many accounts to keep track of and changing my passwords with every breach is making it hard to remember them all. What can I do?
Some cybersecurity experts are fans of password managers. These services create strong, unique passwords for each account you have. Then, the manager stores them in an encrypted account you can quickly access anytime you need to enter a password.
However, other experts argue password managers can have varying levels of encryption and warn that if the one you are using is breached, all of your passwords may be vulnerable.
So what else can I do?
Many experts advise people to use passkeys, when possible. Passkeys are digital credentials able to unlock accounts with a mere flash of your face or fingerprint scan on your phone.
They are considered to be more secure than passwords because there is no string of characters, numbers and symbols to memorize, making them harder to hack. They don’t need to be changed, can’t be stolen by someone guessing or peeking over your shoulder and there’s no way to accidentally use one on the wrong website.
Not all websites and services accept passkeys but several big players like Apple, Shopify, Microsoft, DocuSign and PayPal do.
This report by The Canadian Press was first published June 20, 2025.
Tara Deschamps, The Canadian Press
