On June 20, 2025, a major revelation shook the digital world: 16 billion username-password combinations had just been exposed online (source: Journal de Montréal). This database, dubbed “RockYou2024” by Cybernews researchers, is much more than a simple recycling of previous leaks. It contains active login credentials from Google, Apple, Facebook, X (Twitter), Telegram, and GitHub.
This leak comes amid a record rise in data theft for blackmail, industrial espionage, and intrusion into corporate systems. With 16 billion passwords exposed, it puts professionals, public organizations, and SMEs on the same level of vulnerability.
Why is this leak a game changer?
Data that can be reused on a large scale
With automated tools, cybercriminals can test these credentials en masse on thousands of services. This is known as credential stuffing: a simple but powerful method that takes advantage of the widespread reuse of passwords (94% of users).
A multiplied attack surface
This data can be used to target business accounts using personal credentials. An IT manager who uses the same password on a leisure website and on their internal management tool becomes a gateway.
A lever for advanced phishing
This information can also be used to fuel highly targeted phishing campaigns that abuse trust or simulate credible internal communications.
Attacks facilitated by infostealers
The proliferation of data-stealing malware (infostealers) largely explains why these credentials are so fresh among the 16 billion exposed passwords. Tools such as RedLine and Raccoon, often installed without users’ knowledge via hacked websites or free software, automatically extract passwords stored on a device.
Cybercriminals then sell these files on the dark web at low prices, or combine them into megadatasets like the one recently uncovered.
What concrete actions should be taken today?
1. Eliminate passwords: adopt passwordless login (passwordless)
When there is no password, there is nothing to steal. This is the best defense available in 2025.
2. Use physical security keys
These keys are the most secure on the market. They can only be used in person and leave no trace that can be exploited remotely.
3. Set up shareable passkeys
Stored securely on your devices, passkeys offer a convenient and much more secure alternative to traditional passwords.
4. If passwords are still necessary: use a secure manager
Choose a professional password manager that can directly inject credentials without copying and pasting. This greatly reduces the risk of theft.
5. As a last resort: create robust passphrases
If you absolutely must use a password, create a unique phrase that is easy to remember but difficult to guess. And above all, never write it down in numerical form (text file, Excel, browser).
Warning: never use the browser’s built-in manager
These managers are easily exploited by malware. Choose recognized third-party solutions designed for professional use.
This massive leak confirms what experts have long suspected: the password-only model is outdated. With 16 billion passwords exposed, the question for businesses is no longer “Are my credentials in a leak?” but “How many times?”
This breach of 16 billion accounts may seem distant… until a suspicious email arrives in your CFO’s inbox, or remote access is gained from an unknown device.
If you have recognized any of the risks described in this article, the experts at My Technician can help you better protect yourself. Our team already supports many organizations in Quebec in strengthening their digital access.
in your taskbar.