16 Billion Passwords Leaked: How to Check If You're Affected

In January 2026, security researchers discovered 30 unsecured databases containing approximately 16 billion username-password pairs — the largest credential leak in history. The exposed data includes login credentials for Google, Apple, Facebook, GitHub, Telegram, and even government platforms.

If you use the internet, there's a significant chance your credentials are in this leak.

What Was Exposed

The leak includes:

• 16 billion login credentials across 30 datasets
• Some datasets containing up to 3.5 billion records each
• Credentials from virtually every major online service
• Both old breach data and fresh infostealer logs
• Session tokens, cookies, and metadata in many cases

This isn't just recycled data from old breaches. Researchers found newly compiled, structured data ready for exploitation — including recent infostealer malware logs with active session tokens.

How to Check If You're Affected

Step 1: Check Have I Been Pwned

Visit haveibeenpwned.com and enter your email addresses. This database is regularly updated with breach data and will tell you which breaches include your credentials.

Step 2: Use Your Password Manager's Breach Monitor

Most password managers offer breach monitoring:

• 1Password: Watchtower alerts you to compromised accounts
• Bitwarden: Data Breach Report shows exposed credentials
• Dashlane: Dark Web Monitoring scans for your info
• Google Password Manager: Check passwords at passwords.google.com

Step 3: Check Google's Dark Web Report

If you have a Google account:

1. Go to myaccount.google.com
2. Navigate to Security → Dark web report
3. Run a scan to see if your info appears on the dark web

Step 4: Monitor Your Financial Accounts

Even if your email doesn't appear in known breaches, monitor your bank and credit card statements for unauthorized activity. Attackers often test credentials on financial services first.

What to Do If You're Compromised

Immediate Actions

1. Change compromised passwords immediately

Start with your most critical accounts:

• Email accounts (they're used for password resets)
• Banking and financial services
• Cloud storage (Google Drive, iCloud, Dropbox)
• Social media accounts

2. Enable two-factor authentication everywhere

Even if attackers have your password, 2FA blocks unauthorized access:

• Use authenticator apps (Google Authenticator, Authy) over SMS
• Consider hardware keys (YubiKey) for critical accounts
• Enable 2FA on your email first — it's the master key to everything else

3. Check for unauthorized access

Review recent activity on your accounts:

• Google: myactivity.google.com
• Facebook: Settings → Security → Where you're logged in
• Apple: Settings → [Your Name] → Devices

4. Revoke suspicious sessions

Log out of all devices and sessions you don't recognize. Most services have a "Sign out of all devices" option.

Long-term Protection

Use unique passwords for every account

The reason credential leaks are so dangerous is password reuse. If you use the same password on multiple sites, one breach compromises all of them.

Use a password manager to generate and store unique, strong passwords for every account.

Consider switching to passkeys

Passkeys are phishing-resistant and can't be leaked in data breaches:

• Google, Apple, and Microsoft now support passkeys
• They use biometric authentication (fingerprint, face) instead of passwords
• No password means nothing to steal

Set up breach alerts

• Enable notifications from Have I Been Pwned
• Turn on your password manager's breach monitoring
• Set up Google's dark web monitoring

How to Share Credentials Safely Going Forward

One reason credentials end up in breaches is unsafe sharing practices. People paste passwords in:

• Slack or Teams messages (stored on servers)
• Email (often unencrypted, searchable)
• Text messages (backed up to cloud)
• Shared documents (persistent access)

Use Secure, Expiring Channels

When you need to share a password with someone:

1. Never send passwords in plain text through regular messaging
2. Use a password manager's sharing feature if both parties use the same manager
3. Use self-destructing secure notes for one-time sharing

Services like LOCK.PUB let you create a password-protected note that:

• Self-destructs after being read once
• Expires after a set time (1 hour, 24 hours)
• Can't be accessed again after viewing

Example workflow:

• Create a secure note with the password
• Set it to expire in 1 hour
• Send the link through one channel
• Send the access password through a different channel
• The credential can never be retrieved again after viewing

The Bigger Picture

This 16 billion credential leak is a symptom of a larger problem: passwords are fundamentally broken.

Key statistics:

• 94% of passwords are reused across accounts
• Only 3% of passwords meet NIST complexity requirements
• Credential-based attacks account for nearly half of all breaches

The industry is moving toward passkeys and passwordless authentication. In the meantime:

• Use unique passwords everywhere
• Enable 2FA on all accounts
• Monitor for breaches regularly
• Share credentials only through secure, expiring channels

Check Yourself Now

Don't wait until you notice unauthorized charges or locked accounts. Take 10 minutes today to:

1. Check haveibeenpwned.com for your email addresses
2. Run your password manager's breach report
3. Enable 2FA on your top 10 most important accounts
4. Change any passwords that appear in breaches

The leak has already happened. What matters now is how quickly you respond.

Share credentials securely with self-destructing notes →