In June 2025, cybersecurity researchers at Cybernews blew the lid off what might be the largest collection of stolen login data ever recorded.
Unlike previous leaks tied to a single hack, this was the end result of years of sneaky malware attacks: info-stealing software quietly harvested passwords, cookies, and even session tokens from compromised devices, then dumped them into nearly 30 massive data sets. These data sets were sitting wide open on the internet for anyone to download using just a browser.
According to Cybernews, accounts linked to Google, Apple, Facebook, GitHub, Telegram, and even government systems are reportedly among the haul. In some cases, data sets contain up to 3.5 billion individual records.
Why Do Passwords Keep Failing?
The internet still runs on passwords. Most reuse the same few across dozens of sites. If one gets stolen, hackers can easily try it everywhere else, setting up the premise of “credential stuffing.” Worse, the leak also includes session tokens, equivalent to VIP passes for already-logged-in accounts. With those, attackers don’t even need a user’s password to get in.
Sure, one can still use a password manager, enable two-factor authentication, and turn on all the security bells and whistles. But with leaks of this size and frequency, many experts are now asking the bigger question: Why are we still using passwords at all?
Bob Wambach, Vice President, Portfolio and Strategy at Dynatrace, said, “Passwords were once the cornerstone of digital security. But today, they have become a growing risk, often exploited by sophisticated attackers. Static credentials alone can no longer defend the complexity of modern digital ecosystems.”
The Future of Identity
Self-Sovereign Identity (SSI) is turning digital ID from a database risk into a personal asset. Instead of handing over credentials to centralized platforms, users can store them in encrypted wallets, proving things like age or citizenship without oversharing.
Governments are already on it. The EU, under eIDAS 2.0 and the European Blockchain Services Infrastructure (EBSI), is issuing blockchain-based diplomas and licenses. Germany and South Korea are piloting national ID systems on-chain. Startups like Dock Labs and Polygon ID are building the rails for broader adoption.
But the tech still has rough edges. Lose your device, and recovery is a pain. GDPR regulators are wrestling with what “immutable” means for privacy. And yes—most websites still ask for your email and password.
Meanwhile, 16 billion passwords are floating around online. According to Cybernews researcher Aras Nazarovas, the fix is basic:
-
Reset your passwords—even if you think you’re safe
-
Don’t reuse them
-
Turn on 2FA
-
Monitor your accounts
-
Flag any weird activity fast
