The 2025 Infostealers Data Breach: Everything You Need To Know Now

Unfortunately, we have a new record for the largest data breach in history, dwarfing the National Public Data Breach and the Mother of All Data Breaches (MOAB). 

16 billion unique login records were recently found to be exposed in online databases. And just to be clear, these are completely new exposures, not just a repackaging of old data. To make matters worse, they include login credentials for the services many of us use on a daily basis, including Apple, Google, Facebook, GitHub, and many more.

In this blog, we'll explore what this data breach (and the current state of cybersecurity) means for individuals and businesses moving forward. 

Why This Data Leak Is Especially Dangerous

Here's what makes this different from your typical "Oops, we got hacked" situation, which is becoming far, far too common.

Instead of just hitting one company, cybercriminals collected login credentials from tons of different places and then organized everything they stole into giant databases. That way, any criminal with access can get a fairly comprehensive picture of your digital life, which they can then launch more sophisticated attacks against you, your colleagues, and your friends.  

What Hackers Can Potentially Do With This Data

There are plenty of reasons that hackers are very interested in this kind of information, and it's not so they can watch AppleTV on your dime. 

Get Access To Other Accounts With the Same Password

Cybersecurity experts (and hopefully your boss, your mom, and every smart person you know) have all been telling you not to reuse passwords. Data breaches like this are a big reason why.

Let's say some cybercriminal now has your Facebook password, but you also use that password to log into your bank, a sensitive account at work, and more. Any cybercriminal with that single password can use it as a skeleton key to do all sorts of things, including draining your savings account. 

Get Access to Other Accounts With Different Passwords

If a cybercriminal has access to your email account, they can start using it to verify fraudulent password reset requests for other, more sensitive accounts, like healthcare portals, financial accounts, and more.  

Make It Very Difficult for You To Spot a Scam

You've probably noticed this trend. Email scams have become much more convincing since cybercriminals have started using AI. The grammar and spelling errors that used to accompany scams are no longer there, and it can take a trained eye to spot the difference between a legitimate email and a phishing scam.  

But now, cybercriminals will have more access to your personalized information. So in addition to being able to send an email that looks professional, it could also contain the kinds of personal information that would inspire trust. 

Here's a hypothetical — you receive an email that looks like it's from Instagram, which you use. It looks completely legitimate, mentions your actual username, and asks you to verify your account. How many people would take the time to verify the sender's email was legitimate, or even think through the possibility that account verification could, in fact, be a phishing scam? 

The more information scammers have about you, the more they can make their scams look like legitimate communication, either between you and a friend, or between you and, say, your bank. 

Use What They Already Know To Get Even More Data 

The more data a criminal has about you, the easier it is for them to trick you, the people you work with, your friends, or the companies you do business with, into giving up even more information about you. 

Steal Your Identity

Think of each data breach like a piece of a puzzle. Chances are good that your Social Security number is already on the dark web from previous data breaches, along with your full name, address, and phone number.

Combine that data with what's available now, like your email accounts, passwords, and other online accounts, and they could put that together to take out a loan or open a new credit card in your name. 

Launch More Successful Ransomware Attacks

A cybercriminal with access to a trusted colleague's email address could use it to trick coworkers into downloading malware, including ransomware. And the more a cybercriminal knows about the targets of their attacks, the better they are at sounding legitimate. 

What You Can Do To Protect Yourself

Here's what we recommend doing ASAP: 

1. Change your passwords, prioritizing email, banking, cloud, and government accounts
2. Enable multifactor authentication (MFA) wherever possible, which can help protect you even if your passwords are compromised
3. Adopt a password manager to generate and store strong, unique credentials for each account
4. Switch to passkeys when possible to resist phishing scams
5. Check to see if your email or password has been leaked using tools like Have I Been Pwned?
6. Subscribe to dark web monitoring services to monitor for compromised credentials

What Businesses Should Do To Protect Themselves 

This data breach, and others like it, should be wake-up calls. Unfortunately, way too many organizations still believe either that cybercriminals are so smart that you can't resist them, or that cybercriminals are so busy going after bigger fish that there's nothing to worry about.

The truth is that basic cybersecurity hygiene is enough to stand up to almost all cyberattacks. Unfortunately, the easier we make it for cybercriminals to reap huge profits in a few clicks, the more likely it is that smaller organizations all over the world will experience devastating attacks. 

Not every organization needs to be Fort Knox! However, these should be your immediate next steps, if you haven't already taken them: 

1. Treat password hygiene and MFA as non-negotiables
2. Consider proactive measures like managed security services and incident response planning
3. Organizations either recommend or force a password reset for critical applications
4. Employee Awareness - Advise of the breach and remind them to stay vigilant for phishing attacks that are coming after the news, along the lines of "We noticed your password was involved in this breach, click here to change it."

Cybersecurity best practices are constantly evolving! Our cybersecurity experts teamed up to create a short quiz to assess your current posture.