NEW DELHI: Indian Computer Emergency Response Team (Cert-In) has issued a fresh advisory asking people to follow good cybersecurity hygiene following reports of a massive data breach involving 16 billion online credentials.
The breach, first reported by the website Cybernews, includes usernames, passwords, authentication tokens, and metadata leaked from platforms such as Apple, Google, Facebook, Telegram, GitHub, and several VPN services.
“This appears to be a consolidated dataset, and some of the credentials may be outdated or already changed. However, we’re issuing the advisory to urge people to follow good cybersecurity hygiene,” a senior official at Cert-In, the country’s nodal agency for cybersecurity incident response, said.
The advisory was first released on Monday.
The agency has urged individuals to update their passwords immediately, enable multi-factor authentication (MFA), and switch to passkeys wherever possible. The advisory also recommends running antivirus scans and keeping systems up to date to protect against malware.
The cybersecurity agency advised organisations to enforce MFA, limit user access, and use intrusion detection systems (IDS) and Security Information and Event Management (SIEM) tools to detect suspicious activity. It also recommended that companies check that their database aren’t publicly exposed and ensure that sensitive data is encrypted.
The massive dataset, which is believed to be available on the dark web, has been reportedly compiled from 30 different sources, mostly through infostealer malware. The dataset could enable attackers to carry out phishing, account takeovers, ransomware attacks, and business email compromises, said the Cert-In advisory.
“This is a systemic red flag,” said Gaurav Sahay, cybersecurity expert and founding partner at Arthashastra Legal.
“The breach is decentralised, harder to detect, and much more difficult to fix. We’re likely to see a wave of account takeovers, especially on cloud/email services, banking or fintech apps, developer platforms, and government portals.”
Sahay added that password reuse remains rampant, and the lack of MFA on many accounts makes even older credentials dangerous. “This is a watershed moment in cybersecurity, a reminder that the human element remains the weakest link in digital security.”
