Same password across all apps? You could be exposed in the world’s largest active credential leak

If you’re using the same password across multiple apps, your digital life could be wide open. A massive, active leak of more than 16 billion login credentials has been uncovered on the dark web—posing serious threats to users of Google, Apple, Facebook, government services, and more.

According to cybersecurity experts, this is not a relic of old data breaches. “This isn’t from the past. It’s fresh and dangerous,” warns investment advisor Abhijit Chokshi, who broke down the findings in a detailed analysis. Unlike older password dumps, the newly discovered leaks include login URLs, session cookies, and valid credentials—everything a hacker needs to walk directly into your accounts, no phishing required.

16 billion credentials, 30 exposed databases
The leak originates from over 30 misconfigured databases, many of which were left completely unsecured, allowing attackers to retrieve sensitive data without any hacking. A shocking 3.5 billion credentials alone came from a Portuguese-speaking source, while 455 million were linked to Russian domains. Telegram accounts made up an additional 60 million entries.

Affected platforms include:

Google and Gmail

Apple ID and iCloud

Facebook

GitHub

Telegram

VPN services

Government portals including tax, Aadhaar, and UPI-linked systems

Chokshi points out that this is particularly alarming for Indian users. “A single leaked email-password combo can unlock banking apps, PAN/Income Tax logins, social media, and UPI wallets,” he said. “If you reuse the same password, your entire digital footprint is at risk.”

‘Weaponisable intelligence at scale’

Experts are calling this breach “weaponizable intelligence at scale.” What does that mean? Anyone with access to this data can mount large-scale automated attacks—especially targeting freelancers, small business owners, and UPI users who rely on OTP-based logins.

The leak is also a wake-up call for India’s rapidly digitising population. With systems like Aadhaar, DigiLocker, GSTN, and CoWIN in widespread use, weak digital hygiene could have devastating consequences. Most users in India still don’t use password managers, reuse old passwords, and regularly fall for phishing SMS scams.

5 steps to stay safe

To protect yourself, cybersecurity experts recommend these immediate steps:

Change your passwords—especially for Gmail, Apple, banking, and UPI-linked services.

Use unique passwords for each platform. Consider using password managers like Bitwarden or 1Password.

Enable 2FA (two-factor authentication) or passkeys wherever available.

Avoid clicking unknown links from emails, SMS, or WhatsApp—even if they appear official.

Monitor your accounts regularly for suspicious login alerts or access attempts.

With credentials still actively circulating online, this breach may lead to more targeted attacks in the coming weeks. Experts stress that good digital hygiene—not just strong passwords—is now essential for survival in the internet age.