The recent CyberNews report detailing a leak of over 16 billion credentials—compiled from infostealer malware logs and historical breaches—serves as important information for organizations that use digital identity to secure their users and services. While this is not a single breach event, the aggregation and accessibility of such a vast dataset significantly increase the threat landscape.
The leak affects a wide range of platforms, including credentials tied to major services like Apple, Google, Facebook, Microsoft, and corporate SaaS platforms. This increases the likelihood of successful account takeover attempts across both consumer and enterprise environments.
The real risk: automation at scale
Credential leaks are not new. What’s different now is the industrialization of credential abuse. Infostealers quietly harvest credentials from infected endpoints, and these are then packaged and sold or dumped in bulk. As highlighted in our internal research published earlier this year, nearly one-third of all logins across F5 customers were attempted using leaked credentials. Many of these were legitimate users unknowingly reusing compromised credentials—a ticking time bomb for account takeover (ATO) attacks.
This is where automation becomes the threat multiplier. Bots don’t sleep. They don’t make typos. And they can test billions of credentials across thousands of sites with surgical precision. As our 2025 Advanced Persistent Bots Report shows, bots now account for over 10% of all web and API traffic, with credential stuffing and ATO among the most common attack flows.
Why this leak matters now
The CyberNews report underscores a critical shift: the barrier to entry for credential abuse has dropped dramatically. With 16 billion credentials now in circulation, attackers no longer need to breach your systems—they just need to find a match. And with the rise of residential proxy networks and bot-as-a-service platforms, even unsophisticated actors can launch highly effective campaigns.
This isn’t just a security issue—it’s a business risk. ATOs lead to fraud, customer churn, brand damage, and regulatory exposure. And traditional defenses like rate limiting or CAPTCHA are no longer sufficient.
Even organizations that have deployed multi-factor authentication (MFA) are not immune. Why? Because attackers still target login pages to:
- Validate stolen credentials before selling them.
- Launch MFA fatigue attacks by bombarding users with push notifications.
- Exploit fallback flows like password resets or SMS-based recovery.
- Harvest behavioral data to fine-tune future attacks.
In short, if your login page is exposed to the Internet, it’s exposed to bots—and bots don’t care whether you have MFA or not. We provided an in-depth analysis of various MFA bypass techniques in our F5 Labs Identity Threat Report.
What organizations must do
Assume compromise: If you’re relying on passwords alone, assume they’ve already been compromised.
Augment existing multi-factor authentication: While MFA enhances security, it can still be bypassed by more sophisticated bots. These bots not only target login endpoints, but also blend in with legitimate traffic, which makes detection even more challenging. As a result, distinguishing between good bots and malicious activity becomes even more critical.
F5 Distributed Cloud Bot Defense leverages industry-leading proprietary signal collection and obfuscation techniques, combined with deterministic classification of bots —eliminating reliance on scoring models. Threat intelligence specialists can extend the capabilities of your security team, providing real-time detection and mitigation of credential stuffing without degrading user experience.
An overview of F5 Distributed Cloud Bot Defense.
Educate and alert: Users need to understand the risks of credential reuse. Organizations should continuously monitor large datasets of leaked credentials from third-party sources or subscribe to commercial or open-source threat intelligence feeds that aggregate breach data. Once identified they should proactively notify users when their credentials appear in breach datasets and guide them to reset passwords.
Collaborate and share: Threat intelligence sharing across industries is vital. The faster we can identify and respond to emerging bot patterns, the better we can protect the ecosystem
Ready to take action?
Schedule a bot management assessment with an F5 specialist.
About the Author
Related Blog Posts
F5 NGINX Gateway Fabric is a certified solution for Red Hat OpenShift
F5 collaborates with Red Hat to deliver a solution that combines the high-performance app delivery of F5 NGINX with Red Hat OpenShift’s enterprise Kubernetes capabilities.
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.