← All posts
16BCredentials exposed1Infostealers2Stealer logs3Compilation DB416B credentials
6 min read

16 billion passwords exposed: Synthient credential stuffing threat explained

Synthient researchers discovered 16 billion exposed credentials now being used for credential stuffing attacks. Learn how the infostealer breach affects Facebook, Apple, and Google accounts, and what to do right now.

securitybreachespasswordsinfostealers2025

In what's being called the "G.O.A.T. of all data breaches," security researchers at Synthient have discovered a massive cache of 16 billion login records exposed online. This Synthient credential stuffing threat is real—criminals are actively using these credentials to break into accounts across every major platform.

This isn't old, recycled data. It's fresh credentials stolen by infostealer malware in 2024 and 2025, and the scale is staggering.

What was exposed

According to Cybernews and Synthient's analysis, the dataset includes:

Data type Scope
Stolen passwords 1.3 billion
Email addresses 2 billion
Total login records 16 billion
Major platforms affected Facebook, Apple, Google, Microsoft

The data was compiled from multiple infostealer operations—malware specifically designed to harvest credentials from infected devices. Tools like RedLine, Raccoon, and Vidar have been linked to massive data hauls, including incidents connected to the Snowflake breaches in 2024 and 2025.

This isn't a traditional breach

Here's what makes this different from a typical data breach:

Traditional breach: A company gets hacked, their database is stolen, and user credentials from that single service are exposed.

Infostealer compilation: Malware running on millions of infected devices continuously harvests credentials from every service the victim uses. One infected device might expose passwords for 50+ accounts.

This means the 16 billion records don't represent one breached company. They represent credentials stolen directly from end users across every service they access.

Why infostealers are exploding

The underground economy for credential theft has professionalized:

1. Malware-as-a-Service

You don't need technical skills to deploy infostealers anymore. Underground forums offer subscription access to malware dashboards, complete with customer support and regular updates.

2. AI-powered distribution

Attackers use AI to generate convincing phishing emails that trick users into downloading infected files. The sophistication is increasing while the barrier to entry drops.

3. Massive ROI

Stolen credentials are immediately monetizable:

  • Direct account takeover for fraud
  • Credential stuffing attacks against other services
  • Sale on underground markets
  • Corporate network access (premium pricing)

Are you affected?

The honest answer: possibly.

If you've used the internet in the past two years on a device that could have been compromised, your credentials may be in this dataset. The exposed data includes login records for:

  • Major email providers (Gmail, Outlook, Yahoo)
  • Social media platforms (Facebook, Instagram)
  • Tech giants (Apple, Google, Microsoft accounts)
  • E-commerce sites (Amazon, eBay)
  • Financial services
  • Countless other platforms

How to check

  1. Have I Been Pwned: Visit haveibeenpwned.com and enter your email addresses to see if they appear in known breaches

  2. Password manager breach alerts: Many password managers (1Password, Bitwarden, Dashlane) offer breach monitoring that will alert you to exposed credentials

  3. Account security checkups: Google, Microsoft, and Apple all offer security review tools that can identify compromised accounts

The cascade risk

What makes credential exposure particularly dangerous is the cascade effect:

Compromised Gmail account
    → Password reset access to dozens of other accounts
    → Email history reveals other services you use
    → Security questions answered in old emails
        → Full identity takeover potential

Attackers don't just use stolen credentials for the original service. They test them everywhere. Password reuse means one leak compromises multiple accounts.

What to do right now

Immediate actions (next 24 hours)

  1. Check critical accounts first

    • Email accounts (Gmail, Outlook, etc.)
    • Financial accounts (banks, investment)
    • Work/corporate accounts

  2. Enable MFA everywhere it's available

    • Even if your password is leaked, MFA blocks unauthorized access
    • Use authenticator apps over SMS when possible

  3. Change high-value passwords immediately

    • Banking and financial
    • Primary email account
    • Work accounts
    • Anything with payment info stored

This week

  1. Audit your password reuse

    • Export your password manager data
    • Identify passwords used on multiple sites
    • Prioritize changing duplicates

  2. Review active sessions

    • Google, Microsoft, Apple all show active logins
    • Revoke any sessions you don't recognize

  3. Set up breach monitoring

    • Enable alerts in your password manager
    • Consider services like Have I Been Pwned notifications

The rotation problem

Here's the uncomfortable reality: most people know they should change their passwords after a breach. Almost nobody does.

Why? Because it's tedious. If you have 100+ accounts and even 20 might be compromised, that's hours of:

  • Navigating to each site
  • Finding the password settings (never in the same place)
  • Going through each site's unique change flow
  • Generating and storing new passwords
  • Hoping you don't get locked out

This friction is why the average organization takes 94 days to remediate compromised credentials. Individuals don't even get measured—but the delay is likely longer.

The infostealer evolution

What's particularly concerning about this leak is what it signals for the future:

Volume is increasing

The 16 billion records discovered by Synthient dwarf previous compilations. Infostealer operations are scaling.

Data is fresher

This isn't decade-old recycled breaches. The credentials are recent—2024 and 2025—meaning they're more likely to still be valid.

Distribution is widening

What used to require sophisticated attackers is now available to anyone with cryptocurrency and access to underground forums.

Detection is harder

Modern infostealers are designed to evade antivirus and operate silently. Many victims never know they're compromised.

Beyond this breach

The 16 billion record discovery is massive, but it's part of a larger trend. Credential theft surged 160% in 2025, with 1.8 billion credentials stolen in the first half of the year alone.

The question isn't whether your credentials will eventually be exposed. It's how quickly you respond when they are.

Why we built Dosel

Breaches like this are exactly why we exist.

When 16 billion passwords are floating around underground markets, telling people to "change your passwords" isn't enough. The process is too tedious, too time-consuming, and too easy to put off.

So we automated it.

Dosel uses AI to handle the clicking and navigation while you maintain control:

  1. Import your accounts from any password manager
  2. Select which passwords need changing
  3. Let AI navigate each site and complete the changes
  4. Export updated credentials back to your password manager

No passwords leave your machine. Zero-knowledge architecture. The AI sees your screen but never your credentials.

Because the only thing worse than being in a 16 billion record breach is doing nothing about it for 94 days.

Download Dosel and start rotating your at-risk credentials today. The free tier handles 5 passwords per month—enough to tackle your most critical accounts immediately.

Sources

Questions about whether you're affected or how to protect your accounts? Reach out at hello@dosel.app.

Protect your passwords with AI-powered automation.

Download Dosel