CERT-In Warns of 16 Billion Credentials Exposed in One of the Largest Global Data Breaches

A Massive Credential Dump Triggers National Cyber Alert

India’s national cybersecurity agency, the Indian Computer Emergency Response Team (CERT-In), has issued a public advisory after the exposure of an estimated 16 billion login credentials. The credentials—comprising usernames, passwords, authentication tokens, and associated metadata—were compiled from more than 30 breached datasets and circulated on underground platforms.

According to the advisory, the breach contains information harvested from widespread infostealer malware and numerous misconfigured databases that remained publicly accessible without adequate security controls. The data reportedly includes credentials associated with major global digital platforms such as Google, Apple, Facebook, GitHub, Telegram, and several VPN providers.

CERT-In described the incident as a “significant cybersecurity risk,” warning that such large-scale exposure dramatically increases the likelihood of account takeover attempts, phishing campaigns, credential stuffing attacks, financial fraud, and identity theft. The agency urged users across India to take immediate steps to secure their accounts, noting that this credential compilation may contain previously compromised data as well as newly exposed information.

How the Breach Occurred: A Consolidation of Multiple Data Sources

The exposed credentials appear to have been aggregated from the data dumps of several breaches rather than originating from a single incident. CERT-In noted that the compilation includes information drawn from:

• Malware infections involving infostealer programs capable of capturing login details from user devices.

• Misconfigured cloud databases that allowed unauthorized access due to missing authentication layers.

• Public repositories and leaked archives circulating across darknet forums and credential marketplaces.

The agency highlighted that the presence of authentication tokens and session identifiers in the dump significantly heightens the immediate security risks. Unlike passwords, tokens can allow access to accounts without requiring additional verification steps, enabling attackers to bypass standard login processes.

CERT-In further noted that the compilation included data from devices infected with malware such as RedLine, Vidar, and Lumma, which routinely steal browser-saved passwords and autofill credentials before transmitting them to command-and-control servers.

CERT-In’s Immediate Advisory for Users: Change Passwords and Enable MFA

The agency issued a set of urgent recommendations for users, stressing that individuals should assume their credentials may be compromised if they have not recently updated security settings. CERT-In advised:

• Changing passwords immediately, especially for email, banking, e-commerce, social media, and cloud accounts.

• Enabling multi-factor authentication (MFA) across all services where available.

• Transitioning to passkeys, which are cryptographic keys that cannot be phished or reused.

• Running antivirus and anti-malware scans to identify any undetected infections on devices.

• Avoiding password reuse, particularly across accounts with financial or personal information.

• Monitoring accounts for suspicious login attempts, unexpected notifications, or unauthorized transactions.

CERT-In cautioned users to be vigilant against phishing communications claiming to offer remediation or account verification related to the breach, stating that attackers often weaponize such incidents to run parallel scams.

Organizational Measures: CERT-In Calls for Zero-Trust Architectures

Alongside individual users, CERT-In directed organizations, enterprises, and government institutions to strengthen their cybersecurity posture. The advisory outlined a set of measures that organizations should implement without delay. These include:

• Adopting zero-trust security architectures, where no user or device is trusted by default and continuous verification is required.

• Limiting employee access to sensitive systems using role-based permissions.

• Encrypting sensitive data, including stored credentials and internal tokens.

• Deploying intrusion detection and prevention systems (IDS/IPS) to identify suspicious activity in real time.

• Mandating password rotations and enforcing strong password complexity policies.

• Using privileged access management (PAM) tools for accounts with elevated rights.

• Conducting regular vulnerability assessments and patching security flaws promptly.

• Monitoring logs for anomalous authentication attempts, particularly those originating from unusual locations or devices.

CERT-In also recommended that IT teams review their internal credential storage mechanisms to ensure passwords are hashed using robust cryptographic standards such as bcrypt, scrypt, or Argon2.

Magnitude of the Breach and Potential Risks

Cybersecurity researchers cited by multiple reports described the scale of the credential exposure as unprecedented, noting that a dataset containing 16 billion credentials could enable attackers to conduct automated credential stuffing attacks at enormous scale.

The risks identified include:

• Account Takeover (ATO): Attackers can gain unauthorized access to email accounts, which often serve as gateways to reset passwords for other services.

• Identity Theft: Personally identifiable information (PII) linked to credentials may be used to create fake accounts or commit financial fraud.

• Ransom and Extortion: Exposed private communications may be exploited to coerce victims.

• Business Email Compromise (BEC): Organizations face heightened exposure if corporate credentials are included in the dump.

• Access to Developer Tools: Compromised GitHub or cloud credentials can lead to supply-chain attacks or leakage of proprietary code.

CERT-In stated that the nature of infostealer malware means the dataset may contain real-time credentials harvested recently from infected systems, increasing the urgency of remediation.

Breach Includes Major Platforms: No Service Immune

Reports indicate that the leaked compilation contains credentials associated with high-profile platforms, including:

• Google and Gmail accounts used for both personal and organizational logins.

• Apple accounts, including those tied to iCloud storage and device management.

• Facebook and Instagram profiles vulnerable to takeover attempts.

• Telegram, with risks of unauthorized access to private chats.

• GitHub, posing risk to software repositories and development pipelines.

• VPN providers, potentially exposing users' browsing activity and IP history.

Cybersecurity experts noted that while these platforms themselves may not have been breached, credentials stolen from users’ infected devices still allow attackers to log in unless MFA is enabled.

CERT-In Warns Against Complacency: “Immediate Action Required”

CERT-In emphasized that incidents of this magnitude require swift action from users and organizations. The advisory stated that “immediate mitigation steps are essential” to prevent misuse of the exposed credentials. The agency called on digital service providers to notify users proactively and to enforce mandatory security resets where necessary.

The government further urged internet users to adopt security hygiene practices consistently, noting that password strength and MFA adoption remain among the most effective defences against widespread credential dumps.

Recommendations for High-Risk Users

CERT-In identified certain categories of individuals as having heightened exposure due to the nature of their digital footprint. These include:

• Government officials

• Banking and financial employees

• Journalists and public figures

• Legal professionals handling sensitive case files

• Corporate executives with access to confidential business information

The agency advised these users to review whether their credentials have appeared in known breach lists and to undertake additional steps such as:

• Using hardware-based security keys

• Avoiding SMS-based OTPs in favour of authenticator apps

• Reviewing account recovery options to ensure no unauthorized email or phone number is linked

CERT-In also recommended that high-risk users avoid downloading software from untrusted sources, as infostealer malware is frequently embedded in cracked software, fake installers, and malicious browser extensions.

Sector-Specific Advisory: Financial and Government Systems

The agency issued separate advisories for entities managing critical information infrastructure, such as banks, government portals, and public service platforms. It called for:

• Mandatory audit of authentication systems

• Endpoint detection and response (EDR) deployment

• Forced credential resets for vulnerable accounts

• Network segmentation to contain potential breaches

• Verification of all administrator accounts

CERT-In warned that unauthorized access to such platforms could disrupt essential public services and lead to financial fraud with national-level implications.

Conclusion: A Wake-Up Call for Digital Security Practices

With billions of credentials circulating widely, the CERT-In advisory underscores a critical moment for India’s cybersecurity landscape. The breach highlights vulnerabilities in personal devices, enterprise systems, and cloud deployments, reaffirming the need for strong security practices across sectors. The agency reiterated that prompt password resets, MFA adoption, and regular device hygiene remain essential steps for users to safeguard their digital identities.

The advisory stresses that cybersecurity must be a routine practice rather than a reactive measure, especially as credential-stealing malware and misconfigured database exposures continue to proliferate globally.