CERT-In cautions Users after 16 Billion login details leaked

July 11, 2025
CERT-In issues Risk

By Vikrant Rana, Anuradha Gandhi and Rachita Thakur

Introduction

On June 23, 2025, Indian Computer Emergency Response Team (hereinafter referred to as ‘CERT-In’) issued an Advisory on the ‘Broad Credential Exposure involving Multiple Online Services’[1] (hereinafter referred to as ‘The Advisory’). The Advisory reported a significant exposure of approximately 16 Billion log in credentials across platforms including social media, email services and banking services. This leak is said to be the largest data breach in the history as per the Forbes Report dated June 18, 2025.[2] Designated to serve as the national agency, under the Information Technology (Amendment) Act, 2008, CERT-In plays a crucial role in raising security awareness among the Indian cyber community and to provide forecast and issue alerts of cyber security incidents.[3]

What does the Advisory say?

  1. Reasons for this data leakThe Advisory discloses that the exposed datasets consolidated credentials from 30 distinct sources and were predominantly acquired through info stealer malware attacks and exposed through misconfigured, publicly accessible databases, such as unsecured Elastic search instances.
  2. What types of Personal Data were leaked?
    The exposed dataset includes:

    • Username and password combinations for various services (e.g., Apple, Google, Facebook, Telegram, GitHub, and VPN services).
    • Authentication tokens and session cookies, which could allow bypassing traditional password – based authentication.
    • Metadata linking credentials to specific platforms or user profiles.
  3. What caused this Data LeakThese datasets were primarily acquired through:
    • Info stealer Malware:[4] This malicious software specifically targets credentials, authentication tokens, and cookies stored within web browsers.
    • Unsecured Databases: Misconfigured Elastic search instances and other publicly accessible databases were found to be exposing aggregated sets of credentials.
  4. Impact of the this Data Leak
    According to CERT-In, this data leak can allow the cyber threat actors to engage in:[5]

    • Credential Stuffing: This involves using stolen credentials (like usernames and passwords) obtained from one data breach to gain unauthorized access to a user’s accounts on multiple other services.
    • Phishing and Social Engineering: These attacks leverage collected metadata or other information to create highly targeted deceptive communications (e.g., emails, messages, and calls) designed to trick individuals into revealing sensitive information or performing actions that compromise their security.
    • Account Takeovers: This refers to any instance where an unauthorized individual gains complete control over a user’s personal, financial, or organizational accounts, often leading to fraud or further malicious activity.
    • Ransomware and Business Email Compromise (hereinafter referred to as ‘BEC’: These attacks often exploit compromised credentials or other vulnerabilities. Ransomware encrypts data and demands payment for its release, while BEC involves impersonating executives or trusted parties via email to deceive employees into making fraudulent money transfers or revealing confidential information.
  5. How to Mitigate Risk?The Advisory lays down measures that must be adopted by both individuals and organizations to mitigate the risks associated with this exposure:
    • For Individuals :
      • Update passwords immediately for all affected services, prioritizing email, banking, social media, and government portals. Recommended passwords should be at least 12 characters, including letters, numbers, and symbols
      • Avoid reusing a single password across different services to prevent credential stuffing attacks.
      • Enable Multi-Factor Authentication (hereinafter referred to as ‘MFA’) on all supporting accounts, using authenticator apps, hardware tokens, or SMS-based verification.
      • Transition to passkeys for password-less, phishing-resistant authentication using biometrics or device PINs.
      • Run antivirus scans to detect and remove info stealer malware, and ensure that operating systems, browsers, and applications are updated to address known vulnerabilities.
    • For Organizations and System Administrators
      • Implement Zero-Trust security by enforcing MFA and least-privilege access controls for all users and systems.
      • Monitor and respond to threats by deploying intrusion detection systems and Security Information and Event Management tools to detect unauthorized access attempts,
      • Monitor for suspicious account activity such as unexpected logins or configuration changes.
      • Secure data storage through auditing databases to ensure they are not publicly accessible and implementing encryption for stored credentials and sensitive data.
      • Implement regular employee training focused on phishing prevention and secure password practices is crucial to bolster overall security posture.

Similar Incidents of Data Leaks through Info-stealer malware attacks

According to the ‘State of Cyber Security Report 2025’ published by Checkpoint, a global leader in cyber security solutions, info stealer attacks have grew by 58% in 2024. Most of the Data logs obtained through these attacks are frequently traded on Russian-based dark web markets. Analysis of these markets reveals that a substantial portion of these stolen logs originate from countries like India and Brazil with India’s share being as high as 10%.[6]

Prateek Chandgothia, Assessment Intern at S. S. Rana & Co. has assisted in the research of this article.

[1] CERT-In Advisory No. CIAD-2025-0024: https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2025-0024

[2] https://www.forbes.com/sites/daveywinder/2025/06/20/16-billion-apple-facebook-google-passwords-leaked—change-yours-now/

[3] https://www.cert-in.org.in/s2cMainServlet?pageid=PUBWEL01

[4] InfoStealer malware is designed to steal sensitive personal, financial, and business data like passwords, credit card numbers, and Browse history from infected systems, transmitting it to cybercriminals for illicit gain. These threats commonly infect systems via phishing, malicious attachments, or compromised websites, operating stealthily to avoid detection. (https://www.packetlabs.net/posts/what-is-infostealer-malware-and-how-does-it-work/)

[5] https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2025-0024

[6] https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/infostealers/

More Articles

  1. CorpConnect Corporate Law News September 2025
  2. Function v. Flair: Miniso’s mimicry meets judicial blockade
  3. Digital Personal Data Protection Act, 2023 Upholds Privacy While Preserving Transparency under Right to Information Act
  4. Tata Pay Trademark Dispute Exposes Rising Domain Name Abuse in India’s Fintech Space
  5. CERT-In issues Guidelines to strengthen Cybersecurity in MSMEs
  6. AILA! Delhi High Court Puts a Stop to ‘Andaz Apna Apna’ Infringement
For more information please contact us at : info@ssrana.com