16 Billion Passwords Just Leaked: Here's Your Move: Phended

A massive password leak called the GOAT Breach exposed 16 billion login credentials from Apple, Google, Facebook, Microsoft, banks, and even some government accounts. Unlike previous breaches full of old recycled data, this one is fresh, meaning criminals are using it right now. If you have an account on any major site, there’s a real chance your login is in the list. Here’s the short version of what to do.

Just about everyone who uses the internet. The leak covers:

Tech companies: Apple, Google, Facebook, Microsoft, Instagram, Snapchat
Professional platforms: LinkedIn, GitHub, corporate email systems
Government services: multiple .gov email addresses and portal logins
Banking: major banks and cryptocurrency exchanges, including Canadian banks
Privacy tools: several VPN services and messaging apps

The leak contains 16 billion records in total. Some of the biggest chunks come from Portuguese-speaking and Russian-speaking users, but Canadian and US addresses are heavily represented too.

This isn’t one company getting hacked. It’s data that was quietly stolen from individual computers over months or years by sneaky software called infostealer malware, then gathered into one giant list and published.

Three steps from their side:

The infection. Someone downloads software that looks normal. Maybe a cracked game, a free PDF tool, a browser extension, or a file that came with a phishing email. Hidden inside is malware called an infostealer.
The harvest. Once installed, the malware quietly watches what you type and copies anything that looks like a password, a credit card, or a cookie that keeps you logged in to a site.
The sale. The malware ships all that info back to the attacker, who bundles it together with millions of other victims’ data and sells or leaks it. Sometimes months after the original infection.

The GOAT Breach is what happens when one of these big bundles leaks for free.

Password reset emails you did not request
Emails from Apple, Google, or your bank saying “a new device signed into your account”
Unusual charges, even small ones, on your credit card or bank statement
Friends telling you they received weird emails or messages from your address
Your inbox suddenly filling with spam, especially sweepstakes or investment offers

None of this takes an IT person. Set aside 20 minutes.

Check each of your email addresses at haveibeenpwned.com. It tells you which of the breaches you are in. It’s safe, free, and built by a well-known security researcher.
Change the passwords on any affected accounts. Most urgent: your email, your bank, and any account you reuse a password on.
Turn on two-step verification for your email and your bank. Even if a criminal has your password, they cannot get in without the code on your phone. This is the single most effective defence you can set up.
Start using a password manager. If you have an iPhone or Mac, the Apple Passwords app is already installed. On Windows or Android, 1Password or Bitwarden work great. Our free course Simple Strategies to Be Secure Online has a step-by-step setup walkthrough.
Watch for phishing in the weeks after a big breach. Criminals use fresh data to craft more convincing scam emails. Our How Not to Get Phished course covers the 4-step check that defeats most of them.
Report it if you see money go missing. Call your bank first. Then the Canadian Anti-Fraud Centre at 1-888-495-8501. If you’re in the US, the FBI’s IC3.

Breaches like this are going to keep happening. The reason they hurt is not the breach itself, it’s that most people reuse the same password on dozens of sites. Once that one password is in a list, criminals try it everywhere.

Fifteen minutes with Have I Been Pwned, a password manager, and two-step verification makes you the hard target. The criminals move on to someone else.

For help working through the list one account at a time, ask Dave. He can walk you through it without jargon.

Want these breach breakdowns in plain language as they happen? Subscribe to the Phended Security Blog. Free, no spam.