Indian Government Issues High-Risk Alert After 16 Billion Passwords Leaked Globally

India’s cybersecurity watchdog, CERT-In (Indian Computer Emergency Response Team), has issued an urgent advisory following the leak of nearly 16 billion login credentials—one of the largest data exposures ever recorded. Dated June 23, 2025, the advisory (CTAD-2025-0024) warns that this breach affects major platforms like Apple, Google, Facebook, Telegram, GitHub, and several VPN services.

What Happened?

According to CERT-In, the leaked credentials were compiled from 30 different data sources. The data includes:

  • Usernames and passwords

  • Session cookies and authentication tokens

  • Metadata that links user credentials to specific platforms or identities

The majority of this data was stolen using infostealer malware and accessed from publicly exposed databases, such as unsecured Elasticsearch servers.

Why This Breach is So Dangerous

This isn’t just another password leak. The scale and depth of the compromised data make it extremely dangerous for individuals and organizations alike. CERT-In highlights four major cybersecurity threats:

  1. Credential Stuffing: Hackers can use your stolen credentials to try and log into multiple services, banking apps, or email accounts.

  2. Phishing and Social Engineering: With detailed metadata, attackers can craft convincing fake messages and websites to trick users.

  3. Account Takeovers: Cybercriminals may gain full access to personal, business, or financial accounts.

  4. Ransomware and Business Email Compromise: Organizations are at risk of large-scale attacks if employee credentials are used to infiltrate networks.

How Did This Happen?

The leaked data came from two primary sources:

  • Infostealer malware that extracts saved passwords, cookies, and tokens from infected devices

  • Misconfigured public databases, which were accessible to anyone due to poor security settings

What You Should Do Right Now

CERT-In has issued clear and actionable safety steps for all users:

  • Change your passwords immediately, especially for sensitive accounts like banking, social media, email, and government services. Create strong, unique passwords that combine uppercase and lowercase letters, numbers, and symbols.

  • Avoid reusing passwords across platforms. Each account should have its own unique login information.

  • Enable Multi-Factor Authentication (MFA) on every service that offers it. Whether it’s through an app, SMS, or hardware token, MFA adds an important extra layer of protection.

  • Use a password manager to generate and securely store complex passwords. This reduces the need to remember multiple logins and ensures better security.

  • Be cautious with emails or messages that ask you to reset passwords or verify account information. Always check the sender and avoid clicking suspicious links.

Final Thoughts

Passwords Leaked: This breach is a serious reminder that no platform is entirely safe. Whether you’re an individual user or a business owner, staying proactive about cybersecurity is no longer optional. Follow CERT-In’s recommendations, stay informed, and take steps now to protect your digital identity.