Tenable Warns Credential Leaks Are a Ticking Time Bomb

Tenable has highlighted the 16 billion credential leak, a massive dataset of usernames and passwords from infostealers and past breaches, as a critical industry wake-up call. The enormous dataset reveals systemic gaps in managing digital identities, securing cloud environments, and monitoring an expanding attack surface. The breach aligns with Tenable’s observations of the explosive growth of the digital attack surface and cybercriminals’ methods to exploit it. The article in Bleeping Computer argues that this breach is not new but a large-scale symptom of several underlying cybersecurity issues.

We want to offer expert commentary from Bernard Montel, Technical Director and Security Strategist at Tenable, who can unpack the root causes behind the breach and outline why it demands a shift toward identity-first, risk-based cybersecurity strategies:
“Firstly, this is not a new data breach. It’s the result of threat actors’ use of infostealer malware that has silently scraped usernames and passwords during breaches. This data has been bundled, traded, and resurfaced across underground forums. That said, it’s no less concerning.

Periodically, we see this database surface, demonstrating that hackers can access our online identities. Using scripts [a small program written in a programming language such as Python, JavaScript, or Bash that tells a computer step-by-step to do something], threat actors can trawl this treasure trove of information, looking for patterns in passwords and credential reuse across multiple accounts. The latter is akin to a master key, suggesting the same combination will open numerous doors.

For organizations, it’s about understanding that this is a potential risk if these records correlate with over-privileged identities. Identities are the new perimeter given that compromised identities are at the centre of nearly every successful cyberattack. Organizations must adopt an identity-first approach that continuously validates permissions and access to prevent identity-based attacks before they occur.”

The discovery in the article aligns with the trends Tenable has consistently observed regarding the explosive growth of the digital attack surface and the methods cybercriminals use to exploit it. The article in Bleeping Computer calls out that this mega breach isn’t a new breach but just a combination of past violations. This incident is not an isolated anomaly but rather a large-scale symptom of several underlying, systemic issues in cybersecurity.

The article states that the records were likely generated by info-stealer malware, a foundational tool in the cybercrime ecosystem.
Infostealers are designed to harvest sensitive data like credentials, browser cookies, and cryptocurrency wallet information from compromised devices. This stolen data is often the first step in a larger attack chain. As the article notes, cybercriminals use these credentials for initial access into corporate networks, which can lead to devastating ransomware attacks.

The prevalence of info stealers is fueled by the Malware-as-a-Service model, which makes these tools cheap, accessible, and easy for criminals with limited technical skills to deploy. This lowers the barrier to entry for cybercrime and contributes to the massive volume of stolen data seen in incidents like this one.

Unprotected databases were a common cause of data leaks. Tenable’s research, particularly its 2025 Cloud Security Risk Report, corroborates this, emphasising that misconfigured cloud assets are a primary source of risk for organisations.

Security researchers have warned for years that organizations misunderstand the shared responsibility model of cloud services. While a cloud provider (like AWS, Google Cloud, or Azure) secures the cloud itself, the onus is on organizations to secure the data in the cloud. This includes:

• Data: Properly classifying and managing data.
• Configuration: Ensuring databases, storage buckets, and workloads are not publicly exposed and have strong access controls.
• Identities and Credentials: Managing user permissions and ensuring secrets or credentials are not hardcoded into workloads, a vulnerability Tenable’s research found in over half of some AWS environments.

The core of the problem is often a lack of visibility. As organizations adopt more cloud services, they struggle to track their inventory of all their assets and associated exposures accurately. Hackers exploit this confusion, finding a single misconfigured database that can expose millions or billions of records.

Due to overlapping information, it’s challenging to determine precisely how many people have been impacted. This highlights a key concept in exposure management that the threat is not just about the number of records but the interconnectedness of the data. With 16 billion records, many of which are from major providers like Google and Apple, attackers have a massive pool of username and password combinations. They will use automated “credential stuffing” attacks to try these logins across countless other services, assuming users reuse passwords.

A breach of this size demonstrates that reactive cybersecurity measures are insufficient. Tenable advocates for a preventive approach focused on exposure management. This involves continuously discovering all assets across the attack surface, understanding their vulnerabilities, misconfigurations, and exposures, and prioritizing remediation based on the risk they pose to the business. By proactively identifying and fixing these issues, organisations can disrupt the attack paths criminals rely on, long before a breach occurs.