Moor Studio/Getty
With so much news about data breaches, you have to be careful not to panic each time you hear of a new one. Take the latest report of a major breach.
In the headline for a recent story published by Cybernews, the cybersecurity media outlet said that 16 billion passwords were exposed in a record-breaking data breach, opening access to Facebook, Google, Apple, and any other service imaginable. Sounds scary, right? But reading the story itself paints a different picture.
Also: 184 million passwords for Google, Microsoft, Facebook, and more leaked in massive data breach
Despite what the headline says, the reported 16 billion passwords didn't come from a single massive data breach. Rather, this is based on 30 different datasets that Cybernews said it's been monitoring since the beginning of 2025.
"Our team has been closely monitoring the web since the beginning of the year," Cybernews said. "So far, they've discovered 30 exposed datasets containing from tens of millions to over 3.5 billion records each. In total, the researchers uncovered an unimaginable 16 billion records."
Further down in the story, Cybernews reveals that the datasets were briefly exposed, only enough for researchers to find them, but not long enough to find the source of the data. Plus, the data itself isn't necessarily new. Cybernews pointed to the datasets as a mixture of information from infostealer malware, credential stuffing sets, and repackaged leaks.
As the leaks come from multiple datasets, there are likely many duplicate records in the mix, which means that the 16 billion number is probably inflated.
Also: The best VPN services right now
Further, Cybernews blamed other media outlets for claiming that Facebook, Google, and Apple credentials were leaked. But Bob Diachenko, a Cybernews contributor, cybersecurity researcher, and owner of SecurityDiscovery.com told Cybernews that there was no centralized data breach at any of those companies. That doesn't mean no credentials from these major tech players were included in the datasets, but simply that they themselves weren't directly hit by breaches in which data was leaked in these incidents.
... continue reading