In June 2025, security researchers at Cybernews discovered the largest data breach compilation ever assembled: 16 billion stolen passwords from Google, Apple, Facebook, and thousands of other services. This 16 billion passwords data breach represents years of infostealer malware, phishing attacks, and corporate breaches combined.
This isn't a single breach. It's an aggregated database of dark web credentials that criminals are actively using for credential stuffing attacks. If you've used the internet, you're likely affected by this massive data breach.
The uncomfortable reality: If you've used the internet for more than a few years, some of your passwords are almost certainly in this pile.
The good news: You can change all your passwords fast using AI automation tools. Here's exactly what to do about it.
Step 1: Check if you've been exposed
Before panicking, find out which of your accounts are actually compromised.
Use Have I Been Pwned:
- Go to haveibeenpwned.com
- Enter your email address(es)
- Review which breaches include your data
What the results mean:
| Result | What it means |
|---|---|
| "Pwned in X breaches" | Your email/password combo was exposed in those incidents |
| Check each breach date | Anything before your last password change is a problem |
| Multiple emails? | Check all of them (work, personal, old accounts) |
Most people discover they're in 5-15 breaches. Don't be alarmed—but do act.
Step 2: Prioritize which passwords to change
You probably have 100+ accounts. You don't need to change them all today, but you need to change the critical ones immediately.
Priority 1 — Change today
- Email accounts (Gmail, Outlook, etc.) — the master key to everything
- Banking and financial accounts
- Password manager master password
- Work/corporate accounts
Priority 2 — Change this week
- Social media (Facebook, Instagram, LinkedIn, Twitter)
- Shopping sites with saved payment info (Amazon, etc.)
- Healthcare portals
- Government accounts (IRS, SSA, DMV)
Priority 3 — Change when possible
- Streaming services
- News subscriptions
- Forums and communities
- Anything without payment info attached
Step 3: Change your passwords (the hard part)
Here's where most people stop. You know you should change your passwords. But doing it manually means:
- Navigate to site
- Find Settings → Security → Change Password
- Enter old password
- Generate new password
- Copy and paste carefully
- Save to password manager
- Repeat 50-150 times
Research from Carnegie Mellon found that only 33% of breach victims actually change their passwords, and most take over 3 months to do it. The friction is just too high.
Option A: Manual approach (free, slow)
If you have time, work through the priority list above. Budget 2-3 minutes per account. For 50 accounts, that's ~2.5 hours of focused clicking.
Tips for manual changes:
- Use your password manager's generator for each new password
- Make passwords 16+ characters with mixed case, numbers, symbols
- Never reuse passwords across sites
- Enable 2FA on every account that offers it
Option B: Automated approach (fast, requires tool)
If you have 100+ accounts or limited time, automation is the only realistic path.
Google Chrome's new feature (limited): Google recently added automatic password changes, but it only works on partner sites like Spotify, Duolingo, and H&M. Most sites aren't supported yet.
Dedicated automation tools: Apps like Dosel use AI browser automation to change passwords across any website—not just partners. You import your passwords, select which to change, and the AI handles navigating each site.
The key is to actually get it done, whichever method you choose.
Step 4: Enable two-factor authentication (2FA)
Even with a strong, unique password, 2FA is your safety net. If a password leaks in a future breach, 2FA stops attackers from getting in.
Best 2FA methods (ranked)
- Hardware keys (YubiKey) — Most secure, requires physical device
- Authenticator apps (Google Authenticator, Authy) — Very secure, phone-based
- SMS codes — Better than nothing, but vulnerable to SIM swapping
Enable 2FA on these accounts first
- Email (critical—this is how password resets work)
- Banking/financial
- Social media
- Cloud storage (Google Drive, Dropbox, iCloud)
Step 5: Freeze your credit
If your Social Security number was exposed (check the breach details), freeze your credit immediately. This prevents criminals from opening new accounts in your name.
How to freeze (free, takes 10 minutes)
You'll get a PIN to unfreeze when you need to apply for credit.
Step 6: Stay vigilant going forward
Breaches will keep happening. Build habits that minimize damage:
Monthly
- Check Have I Been Pwned for new breaches
- Review bank and credit card statements for unauthorized charges
- Check credit report (free weekly at AnnualCreditReport.com)
When you see breach news
- Check if you had an account with that company
- Change that password immediately
- Change any accounts using the same password
Use a password manager
If you're not using one, start. 1Password, Bitwarden, and Dashlane all work well. The goal is unique, random passwords for every account—impossible to remember manually, trivial with a manager.
How to change all your passwords fast (without losing your mind)
Let's be honest: nobody has 8 hours to spend clicking through password change forms. Here's how to change all your passwords fast:
Password breach response checklist
Use this checklist to track your progress:
- Check Have I Been Pwned for all email addresses
- List all accounts using compromised passwords
- Change Priority 1 accounts (email, banking) immediately
- Enable 2FA on critical accounts
- Change Priority 2-3 accounts within 72 hours
- Freeze credit if SSN was exposed
- Set calendar reminder to check for new breaches monthly
The 30-minute method
If you want to change 50+ passwords without losing your weekend:
- Export your passwords from your current password manager (CSV format)
- Use an automation tool like Dosel to bulk-change passwords
- Import the updated passwords back to your password manager
- Verify critical accounts still work
This turns an 8-hour manual slog into a 30-minute supervised process.
Why most people don't act (and why you should)
The statistics are sobering:
| Stat | Source |
|---|---|
| Only 33% of breach victims change passwords | Carnegie Mellon research |
| 78% of people reuse passwords | Multiple studies |
| 41% of successful logins use compromised credentials | Industry reports |
| Average time to rotate credentials after breach: 94 days | Enterprise data |
Attackers know this. When they get dark web credentials from a breach, they launch credential stuffing attacks everywhere within hours—banks, email, social media. The window between "breach disclosed" and "credentials exploited" is shrinking.
The people who don't get compromised share a few traits:
- Unique passwords everywhere — No reuse, period
- Password manager — Makes unique passwords practical
- Regular rotation — Don't wait for breach notifications
- 2FA on everything — Especially email and financial accounts
The bottom line
16 billion passwords are circulating. Yours are probably among them.
The single most important thing you can do today is change your email password and enable 2FA on your email. Everything else flows from there.
Then work through your other accounts. Whether you do it manually over the next month or use automation to knock it out in an afternoon, the key is to actually do it.
Most people won't. That's why breaches keep working.
Don't be most people.
About Dosel: We built a macOS app that automates password changes using local AI. The agent navigates each site and changes passwords for you, while keeping everything on your machine.
Download Dosel → — 5 free automated password changes per month, no credit card required.
Sources
- Cybernews: Billions of credentials exposed in infostealer data leak
- TIME: Billions of Passwords Have Been Leaked in Massive Breach
- Carnegie Mellon: (How) Do People Change Their Passwords After a Breach?
- NotebookCheck: Google Chrome automatic password changes
- Have I Been Pwned
Questions about protecting your accounts? Reach out at hello@dosel.app.