16 BILLION Credential Dump: Infostealer Malware Just Stole Passwords and Session Cookies for Your Google, Apple, and GitHub Accounts

Author: CyberDudeBivash — cyberdudebivash.com | Updated: October 11, 2025

TL;DR

Researchers uncovered a dataset of ~16 billion credential records compiled from infostealer malware logs and existing breach data — containing usernames, plaintext passwords, session tokens/cookies and metadata. This is an aggregation, not one single new vendor breach.
Because session cookies and tokens appear in portions of the dataset, attackers can sometimes bypass MFA and hijack sessions — immediate revocation and re-login is advised for high-value accounts.
Do these now: rotate critical credentials, revoke active sessions & OAuth tokens, enable passkeys/MFA, run the SOC hunts below, and gate the full checklist behind an email capture if you want to convert readers.

What happened — the short, truthful version

In June 2025 security researchers published and flagged a compilation of ~16 billion credential records aggregated across ~30 datasets. The collection appears to be primarily drawn from infostealer malware logs (malware that steals browser-saved credentials, cookies, tokens, and local files) plus older breach compilations. Although this is not a single new corporate breach of Google, Apple or GitHub, the dataset contains weaponizable credentials that criminals can use for account takeover, targeted phishing, and supply-chain abuse.

Why session tokens & cookies make this worse

Session cookies and authentication tokens can — in some cases — allow attackers to impersonate a logged-in user without the password or to bypass MFA until the session is invalidated. That makes stolen cookies especially valuable.
Infostealers harvest exactly the items attackers need: stored passwords, cookie jars, local tokens, saved form data and sometimes even browser autofill exports. That reduces attack setup time and increases success rates.

Scope & nuance — what reporters & experts said

Multiple outlets (AP, The Guardian, Cybernews) reported the discovery; vendor- and researcher commentary emphasizes this is a huge aggregation, not a single vendor compromise. Some security analysts criticized early hype and urged careful framing: the headline number is real, but the context (duplicates, old vs. fresh records) matters. Still — the operational effect remains: attackers now have an enormous resource to run credential stuffing and session-token reuse attacks.

Immediate actions for consumers (do these now)

Change passwords on any account you used publicly/commonly — prioritize email, banking, cloud, code repositories (GitHub), and Apple/Google accounts.
Revoke active sessions & OAuth tokens: go to account security settings and “Sign out of all devices” / “Revoke sessions” / “Disconnect third-party apps”. This invalidates stolen cookies/tokens.
Enable MFA & adopt passkeys where possible: passkeys/WebAuthn reduce reliance on passwords and stop many automated takeover paths. Google & other providers are rolling out device-bound protections for tokens — enable them when available.
Use a password manager: generate unique, strong passwords for each service (do not reuse).
Scan for exposure: check haveibeenpwned.com and vendor breach pages; treat confirmed exposures as high priority.
Monitor activity: enable alerts from banks and check account activity daily for 30–90 days.

Immediate SOC / IR checklist (merchant, enterprise, devops)

Force logout/invalidate sessions for affected user populations (invalidate session store, rotate session secret keys if using stateless tokens — e.g., rotate JWT signing keys).
Revoke OAuth refresh tokens and client secrets where possible; rotate API keys used by services tied to user accounts.
Hunt for infostealer behavior: unauthorized file reads from browser profile paths, suspicious processes writing to %APPDATA%/Local/Temp, unexpected exfil connections to known C2 infrastructures. (Sample hunts below.)
Notify partners & run fraud detection models for sudden spikes of account changes, password resets, or suspicious login geographies.

SOC / SIEM hunts


# Splunk: detect multiple failed logins followed by success from same IP (credential stuffing -> compromised)
index=auth OR index=web "failed_password" OR "authentication failure"
| transaction clientip maxspan=10m
| search eventcount>50 AND search "success"
| stats count by clientip, user, _time


# Splunk: detect browser profile reads & suspicious processes (Windows Sysmon)
index=wineventlog AND EventCode=1 (ProcessCreate)
| where Image IN ("*\\chrome.exe","*\\msedge.exe","*\\firefox.exe") AND CommandLine LIKE "%Login Data%" OR CommandLine LIKE "%Cookies%"
| stats count by Host, User, Image, CommandLine


# Generic: find outbound connections to rare domains from endpoints (24h window)
index=network earliest=-24h
| stats count by src_ip, dest_domain
| where count > 20 AND dest_domain NOT IN ([trusted list])

Defensive Sigma & YARA examples


# sigma: suspicious process reading browser profile / cookies
title: Suspicious process accessing browser profile files
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 11
    TargetFilename|contains:
      - '\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data'
      - '\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\'
  condition: selection
level: high


# yara: detect infostealer-like strings in local files (defensive)
rule Potential_InfoStealer_Artifact
{
  meta:
    author = "CyberDudeBivash"
    date = "2025-10-11"
  strings:
    $s1 = "Login Data" ascii
    $s2 = "Cookies" ascii
    $s3 = "autofill" ascii
    $s4 = "wallet" ascii
  condition:
    any of ($s*)
}

MITRE ATT&CK quick map

Tactic	Technique	Notes
Initial Access	T1204 (User Execution)	Phishing & drive-by downloads deliver infostealers
Collection	T1056.001 (Keylogging) / T1119 (Automated Collection)	Browser credentials, cookies, tokens harvested by malware
Exfiltration	T1041	Files & tokens exfiltrated to C2 or cloud drop sites
Impact	T1499/T1486	Account takeover, fraud, downstream BEC/ransomware

Product & service picks — quick (affiliate cards)

Kaspersky Endpoint Security

EDR + rollback for endpoints exposed to infostealer activity.Protect with Kaspersky

Managed XDR — CyberDudeBivash

24/7 monitoring, token/session revocation playbooks, rapid containment.Contact for XDR

Password Manager — Business

Stop password reuse — secure service accounts & admin creds.Buy Password Manager

FAQ (short)

Is Google / Apple / GitHub breached? Not in the sense of a single new corporate breach — these services appear in the dataset because credentials harvested from infected user devices included accounts for these services. The providers themselves were not necessarily breached.
Will a password change protect me? Yes — change passwords and revoke sessions for exposed accounts; enable MFA and adopt passkeys where possible.
How can organizations defend? Force session invalidation, rotate OAuth secrets, hunt for infostealer telemetry, and apply device-bound session protections where available.

Hashtags: #CyberDudeBivash #16BLeak #Infostealer #CredentialStuffing #AccountTakeover #ThreatIntel #IR #SecurityOps #Passwords #Passkeys

Cyberdudebivash