16 Billion Credentials Exposed: Why This Infostealer Leak Demands a Rethink of App Security

The recent CyberNews report detailing a leak of over 16 billion credentials—compiled from infostealer malware logs and historical breaches—serves as important information for organizations that use digital identity to secure their users and services. While this is not a single breach event, the aggregation and accessibility of such a vast dataset significantly increase the threat landscape. 

The leak affects a wide range of platforms, including credentials tied to major services like Apple, Google, Facebook, Microsoft, and corporate SaaS platforms. This increases the likelihood of successful account takeover attempts across both consumer and enterprise environments.

Credential leaks are not new. What’s different now is the industrialization of credential abuse. Infostealers quietly harvest credentials from infected endpoints, and these are then packaged and sold or dumped in bulk. As highlighted in our internal research published earlier this year, nearly one-third of all logins across F5 customers were attempted using leaked credentials. Many of these were legitimate users unknowingly reusing compromised credentials—a ticking time bomb for account takeover (ATO) attacks.

This is where automation becomes the threat multiplier. Bots don’t sleep. They don’t make typos. And they can test billions of credentials across thousands of sites with surgical precision. As our 2025 Advanced Persistent Bots Report shows, bots now account for over 10% of all web and API traffic, with credential stuffing and ATO among the most common attack flows.

The CyberNews report underscores a critical shift: the barrier to entry for credential abuse has dropped dramatically. With 16 billion credentials now in circulation, attackers no longer need to breach your systems—they just need to find a match. And with the rise of residential proxy networks and bot-as-a-service platforms, even unsophisticated actors can launch highly effective campaigns.

This isn’t just a security issue—it’s a business risk. ATOs lead to fraud, customer churn, brand damage, and regulatory exposure. And traditional defenses like rate limiting or CAPTCHA are no longer sufficient.

Even organizations that have deployed multi-factor authentication (MFA) are not immune. Why? Because attackers still target login pages to:

• Validate stolen credentials before selling them.
• Launch MFA fatigue attacks by bombarding users with push notifications.
• Exploit fallback flows like password resets or SMS-based recovery.
• Harvest behavioral data to fine-tune future attacks.

In short, if your login page is exposed to the Internet, it’s exposed to bots—and bots don’t care whether you have MFA or not.  We provided an in-depth analysis of various MFA bypass techniques in our F5 Labs Identity Threat Report.

Assume compromise: If you’re relying on passwords alone, assume they’ve already been compromised.

Augment existing multi-factor authentication: While MFA enhances security, it can still be bypassed by more sophisticated bots. These bots not only target login endpoints, but also blend in with legitimate traffic, which makes detection even more challenging. As a result, distinguishing between good bots and malicious activity becomes even more critical. 

F5 Distributed Cloud Bot Defense leverages industry-leading proprietary signal collection and obfuscation techniques, combined with deterministic classification of bots —eliminating reliance on scoring models. Threat intelligence specialists can extend the capabilities of your security team, providing real-time detection and mitigation of credential stuffing without degrading user experience.  

Educate and alert: Users need to understand the risks of credential reuse. Organizations should continuously monitor large datasets of leaked credentials from third-party sources or subscribe to commercial or open-source threat intelligence feeds that aggregate breach data. Once identified they should proactively notify users when their credentials appear in breach datasets and guide them to reset passwords.

Collaborate and share: Threat intelligence sharing across industries is vital. The faster we can identify and respond to emerging bot patterns, the better we can protect the ecosystem

Schedule a bot management assessment with an F5 specialist.