16 billion stolen credentials: the infostealers defy the GDPR by targeting end users
The leak of 16 billion login credentials, revealed by the research team of Cybernews in June 2025, constitutes one of the largest breaches of personal data ever documented1. This mega-leak, the result of the proliferating activity of malicious software such as Infostealer (information thief), questions the effectiveness of the European regulatory framework in terms of personal data protection.
Large-scale leaks follow one another
Faced with the growing sophistication of cyberattacks and the evolution of the underground data market, this case questions the ability of the General Data Protection Regulation (GDPR) to guarantee the effective protection of European citizens, and requires in-depth reflection on the accountability of digital actors. The leak revealed by cybersecurity researcher Bob Diachenko2, and published by Cybernews, concerns 16 billion identifiers from thirty different pirated databases, gathered on a publicly accessible server. In addition to major platforms such as Apple, Google or Facebook, the data exposed concerns a wide range of services — social networks, messaging (Telegram), development tools (GitHub), cloud environments, government platforms, and professional tools — and illustrates the widespread vulnerability of the digital ecosystem. This data exposure is one of the most massive ever documented and is part of a series of large-scale leaks, such as the MOAB3 of January 2024 (a collection of more than 26 billion records from thousands of previous leaks, of which Tencent, LinkedIn, Adobe or Weibo were victims), from RockYou2024 (10 billion passwords, succeeding RockYou2021 and its 8.4 billion passwords), or even from the Chinese leak of March 2024 affecting WeChat and Alipay, belonging to the Chinese companies Tencent and Alibaba respectively.
Les Infostealers are a specific category of malicious software designed for the silent exfiltration of data, by directly infecting user terminals. Once installed (usually via a fake document, a tricked application or pirated software), they suck up everything that is stored locally: login URLs, identifiers, saved passwords, data from auto-completed forms, data from auto-completed forms, session cookies, Tokens authentication data, bank details or cryptocurrency wallets, etc. Unlike Ransomwares (in French, ransomware) that paralyze systems, the modus operandi of these attackers is based on social engineering and the exploitation of human vulnerabilities: dissemination via pirated software, infected PDF documents, video game modifications, or fake applications.
The presence of session cookies and Tokens Authentication allows hackers to bypass usual protections such as double authentication. For example, thanks to this stolen metadata, a hacker can connect to a bank account, to an email (Gmail, Outlook,...), or to a payment platform (such as PayPal) without having to enter the password or pass through two-factor authentication. He impersonates the legitimate user because he has the active session “keys”. In addition, the freshness of data, which, unlike historical compilations that recycle old leaks, comes from recent activities, confers immediate exploitable value to cybercriminals. The democratization of these tools on the forums of Dark Web, with the emergence of “Malware-as-a-Service” (MaaS) platforms and turnkey solutions such as RedLine, Raccoon or Vidar, has considerably lowered technical entry barriers for cybercriminals, allowing less technical actors to conduct sophisticated campaigns.
Responsibility: the challenge of territoriality
This accessibility explains the exponential proliferation of attacks and the multiplication of Datasets, or datasets, exposed. This industrialization of cybercrime poses new challenges to regulatory authorities and law enforcement agencies.
The leak of 16 billion identifiers crystallizes several major legal issues. First, the question of the territoriality of the GDPR in the face of global attacks carried out from jurisdictions beyond European control. Indeed, if the RGPD establishes its territorial scope of application4, its effectiveness remains dependent on international cooperation and mutual legal assistance mechanisms. Second, the problem of assigning responsibility when data is exfiltrated from the infected user's personal terminal and not from an attacked platform. In addition, the chain of responsibility becomes complex to establish, especially when data is aggregated by unidentified third parties prior to public exposure. The extent of this violation therefore calls into question the adequacy of the notification mechanisms provided for by the GDPR.5, designed for more limited incidents.
New attacks and limitations of the GDPR
Article 32 of the European regulation requires data controllers and subcontractors to implement “appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk”. This general obligation consists of several specific requirements: pseudonymization and encryption of data, the ability to ensure the confidentiality, integrity, availability and resilience of systems at all times, the ability to restore the availability and access to data in a timely manner in the event of an incident, and a procedure for regularly testing and evaluating the effectiveness of the measures.
Faced with the sophistication of Infostealers, these bonds reveal their structural limitations. For example, data encryption, although mandatory, does not protect against the exfiltration of identifiers stored locally on user computers. In the same sense, system resilience becomes illusory when the attack directly targets legitimate users' terminals, ahead of any centralized protection system. This inadequacy raises the question of the extensive interpretation of the article. “Treatment safety”6 : could the supervisory authorities require data controllers to deploy protective measures on the terminals of their users?
The principle ofAccountability enshrined in the RGPD7 requires data controllers to demonstrate their compliance with data protection principles. This positive obligation involves a proactive approach to security. In the context of Infostealers, this accountability questions the extent of the obligations of data controllers: should they anticipate and prevent risky behaviors by their users by deploying detection tools on terminals? Does the security obligation extend to the awareness and training of those concerned? European case law tends towards an extensive interpretation of these obligations. The “Fashion ID” stop8, issued in July 2019 by the Court of Justice of the European Union (CJEU), established that liability can extend beyond the direct control of data, paving the way for greater accountability of digital actors in the face of indirect risks.
The analysis of this mega-leak therefore reveals a growing gap between the sophistication of attack vectors and the effectiveness of regulatory obligations. Les Infostealers mainly exploit human vulnerabilities and the weaknesses of user terminals, areas where the action of data controllers remains limited. The RGPD, designed to protect data at the level of servers and centralized information systems, is struggling to apprehend attacks that directly target end users. This structural limitation requires an evolution of the regulatory framework towards a more holistic approach to cybersecurity, integrating terminal security and user awareness.
The widespread adoption of advanced authentication technologies is becoming an imperative in the face of the demonstrated ineffectiveness of traditional passwords. Les Passkeys (access keys) are emerging as a robust technological solution — adopted in particular by Apple, Google and Microsoft. This technology is based on the FIDO2 (Fast Identity Online 2) standards, supported by the FIDO Alliance, and WebAuthn (Web Authentication) standards, standardized by the W3C9, the generation of cryptographic key pairs: a private key stored on the user's terminal and a public key stored by the service. Authentication is performed by cryptographic signature, without the transmission of sensitive information, eliminating the vulnerabilities inherent in traditional passwords. Indeed, this architecture makes it impossible to reuse identifiers between services and is immune to attacks by phishing (phishing).
Also, two-factor authentication (2FA) or multi-factor authentication (MFA) — although imperfect in the presence of session cookies and Tokens of authentication in stolen data is an essential security measure in the face of contemporary threats, and its widespread use is also a promising technological response. The evolution towards authentication methods continues, constantly analyzing user behavior (behavioral biometrics, analysis of Patterns navigation), could offer more robust protection against these sophisticated attacks. The imposition of minimum authentication standards for certain sensitive services, based on the model of the European directive on payment services of November 2015, known as PSD210, would be a proportionate response to the risks identified.
Reinforcing safety standards
The leak of 16 billion identifiers reveals the limits of the current regulatory framework in the face of the evolution of cyberattacks that attack directly on user terminals, in contrast to no less massive thefts of personal data aimed at a central system — as was the case for 19.2 million subscribers of Free (Iliad) in October 2024, as was the case for 19.2 million subscribers of Free (Iliad) in October 2024, including 5.1 million bank details. The investigation and investigation are ongoing. While the GDPR has considerably strengthened the protection of personal data, its effectiveness remains dependent on the adaptation of technological and organizational practices to the new types of attacks that are becoming more and more sophisticated.
[1] https://lc.cx/Cybernews300625
[2] The Ukrainian Volodymyr Diachenko, known as Bob.
[3] Mother of All Breaches (MOAB).
[4] Art. 3 of the GDPR.
[5] Art. 33 of the GDPR.
[6] Art. 32 of the GDPR.
[7] Art. 5 (2) of the GDPR.
[8] https://lc.cx/FashionID
[9] World Wide Web Consortium (W3C).
[10] https://lc.cx/DSP2
