India’s cybersecurity watchdog, CERT-In, has issued an advisory alerting users to a large-scale credential exposure affecting multiple online services. The advisory, tagged CTAD-2025-0024 and dated June 23, 2025, highlights the leak of approximately 16 billion login credentials gathered from a range of platforms including Apple, Google, Facebook, Telegram, GitHub, and various VPN services.
Massive password leak alert
The leaked credentials were compiled from 30 different sources, with much of the data obtained via infostealer malware and misconfigured publicly accessible databases, such as unsecured Elasticsearch instances. The dataset contains:
- Username and password combinations
- Authentication tokens and session cookies
- Metadata linking credentials to specific users or platforms
This leak increases the risk of cybercrimes including unauthorized access, phishing, identity theft, and account takeovers.
Why should you be worried?
The scale and depth of this breach make it particularly dangerous. CERT-In outlines four major threats stemming from the leak:
Credential stuffing – Cybercriminals can try stolen usernames and passwords across multiple services.
- Phishing and social engineering – Metadata helps criminals create highly targeted scams.
- Account takeovers – Attackers could gain access to personal, financial, and organizational accounts.
- Ransomware and business email compromise – Credentials can be used for larger-scale attacks on businesses.
How the data was leaked
Two main sources contributed to the leak:
Infostealer malware that collects saved credentials, session tokens, and browser data.
Unsecured databases that were exposed to the public due to misconfiguration, allowing cybercriminals easy access.
What you should do
CERT-In has recommended several steps for individuals to protect themselves:
- Update your passwords immediately, especially on sensitive platforms such as banking, social media, and government portals. Use strong, unique passwords that include letters, numbers, and symbols. Avoid reusing the same password across services.
- Enable multi-factor authentication (MFA) wherever possible. Use authentication apps, hardware tokens, or SMS-based systems to add an extra layer of protection.
- Stay alert to phishing attempts, especially those posing as password reset links or urgent notifications.
Use password managers to create and store strong, unique credentials for each service.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
