16 billion credentials leaked: what identity teams need to act on

TL;DR: A 16 billion credential leak gathered from infostealer activity, exposed clouds, and project tools shows how reused passwords and long-lived access paths can fuel account takeover, lateral movement, and fraud across major services, according to Unosecur citing Cybernews. Identity security fails when leaked credentials remain usable.

NHIMG editorial — based on content published by Unosecur: 16 billion credential leak, why 2025’s biggest breach is an identity-security wake-up call

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

Questions worth separating out

Q: How should security teams respond when leaked credentials may still be valid?

A: Security teams should assume the credentials are active until proven otherwise.

Q: Why do leaked credentials remain such a serious risk even with MFA?

A: MFA reduces the chance that a stolen password alone is enough, but it does not remove every path to access.

Q: What do organisations get wrong about credential rotation after a leak?

A: Many teams rotate the most visible accounts and leave hidden dependencies untouched.

Practitioner guidance

• Purge exposed credentials at the source and at the identity provider Invalidate any password, token, or API key that may have been exposed, then force reauthentication everywhere the secret may have been reused.
• Block password reuse with policy and technical controls Use password blacklists, breached-password checks, and passkey or hardware-token adoption for high-risk roles so leaked credentials cannot be replayed.
• Review third-party and dormant access as one exposure surface Audit vendor accounts, legacy integrations, and inactive identities for standing privilege and stale secrets.

What's in the full article

Unosecur's full article covers the operational detail this post intentionally leaves for the source:

• Day-by-day containment steps for forced password resets, token revocation, and MFA revalidation
• Practical checks for leaked-password blocking, including built-in identity-provider controls and breach-list screening
• The vendor's walkthrough of least-privilege reviews, third-party hardening, and monitoring workflows for reused credentials
• Implementation detail on detection, lockout, and response automation for credential-stuffing activity

👉 Read Unosecur's analysis of the 16 billion credential leak and identity risk →

16 billion credentials leaked: what identity teams need to act on?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →