A week ago (20th June 2025) news broke that 16 billion user credentials had been newly breached. It was made to sound particularly horrifying because the breaches were right across critical (if personal) platforms, such as Apple, Google, Facebook and others.
In the following days, the alarmist tone reduced a little bit, when security researchers found that the list of 16 billion leaked credentials was new, but that the constituting credentials had already been leaked (and passed on) in previous breaches of varying age. The list was a so-called combo-list: a combination of previously known leaks and breaches.
That said, it would be entirely misguided to ignore this news. From an information security perspective, the important message is that a lot of the information in the new combo list is the result of the activity of stealer software. This is malware operating on compromised devices that compiles login credentials and other highly sensitive information on that device, such as passwords or credit card details, and sends them off to the criminals. The activity of stealer malware has become a dominant problem.
Risk profile
Despite the breach possibly not containing much in the way of newly breached data, the risk to everyone, and to almost every organisation is tremendous.
A single breached credential can allow a (opportunistic) hacker access e.g. into an Office account of an employee. Once they gain the initial foothold, and using a variety of techniques (phishing, social engineering, probing) attackers will move laterally in the network, escalate their privileges to a point where they can launch their campaign – and these days that often results in Ransomware.
Counter measures
Multi-factor authentication!
We are not saying that enabling multi-factor authentication for your online accounts will stop any, and all, attacks against you, but in many cases, it will make it impossible for the criminals to get into your accounts. They need to employ fundamentally different tactics to still break into target accounts.
Patching!
This has not changed either. It is essential to run fully up-to-date operating systems (Windows, Mac) and only legitimate and recent software (especially web browsers).
Anti-Malware!
Again, not a new tool in the defender’s arsenal. Modern Anti-malware systems can help detect and prevent any data breaches in the first place. They are also the primary defence, once the criminals attempt to deploy and activate their malware. A good Anti-Virus system will detect suspicious behaviour and stop it in its tracks.
But remember, Anti-Virus is only good, if it is comprehensively deployed, kept up-to-date and constantly monitored.
Security Awareness!
The human firewall: are your staff trained to spot anomalous emails? Activity in their accounts? (login from a new destination?), do they know to escalate findings promptly?
Final Thoughts
While the headlines screamed of a catastrophic breach involving billions of credentials, the reality was more nuanced, but no less concerning. The emergence of a massive combo list, largely compiled from previous leaks and stealer malware, serves as a stark reminder that cybersecurity threats are evolving, persistent, and increasingly sophisticated.
This incident underscores a hard truth: even old data can be weaponised in new ways. The real danger lies not just in the breach itself, but in how attackers leverage compromised credentials to infiltrate systems, escalate privileges, and launch devastating campaigns like ransomware.
Organisations must remain vigilant. Multi-factor authentication, regular patching, robust anti-malware solutions, and continuous security awareness training are no longer optional, they're essential. The threat landscape is dynamic, and so must be our defences.
In short, this wasn’t a new breach but it was a new wake-up call!
At GDPRiS, we go beyond compliance
We actively strengthen your schools or Trust’s cyber resilience. Our cost effective services designed specifically for schools include Attack Surface Scanning which continuously monitors your digital footprint, identifying exposed assets and vulnerabilities before attackers do. Complementing this, our Phishing Simulations test staff readiness with realistic, education focussed and customisable campaigns; turning potential weaknesses into learning opportunities. To reinforce this, our Awareness Training equips your team with the knowledge and confidence to spot threats, report suspicious activity, and uphold data protection best practices every day. Together, these services form a proactive defence strategy tailored for the education sector.
If this sounds like it would help your school or Trust why not book a free consultation with our team?