Massive Data Leak: 16 Billion Passwords Exposed – Is Yours Safe?

Massive data leaks and dubious AI apps: user privacy under pressure worldwide

On Friday morning, it was announced that some 16 billion passwords had been compromised in an unprecedented data breach. This included user data from major tech companies like Facebook, Google, and Apple. This was reported by the cybersecurity platform Cybernews, which calls it “the largest data breach in history.” However, that claim isn’t entirely accurate.

This isn’t a single hack, but a collection of countless smaller data leaks combined into one gigantic file. The largest single leak ever remains Yahoo’s in 2016, when the data of all three billion users was stolen.

Nevertheless, the situation remains extremely worrying. Because this vast amount of information is now centrally available, it becomes significantly easier for cybercriminals to launch credible phishing attacks or victimize identity theft.

Password hygiene more important than ever

The revelation emphasizes the importance of good password hygiene. This means not only changing your passwords regularly, but also enabling two-factor authentication and using a password manager to securely manage your logins. This is the only way to protect yourself from increasingly sophisticated forms of digital fraud.

DeepSeek: the Chinese AI app that knows more than you’d like

But data breaches aren’t the only threats to user privacy. Increasingly, artificial intelligence apps are collecting personal data on a massive scale—often without users knowing exactly what happens to their data. One of the most recent and controversial examples is the Chinese AI app DeepSeek.

DeepSeek became incredibly popular and reached number one in several app stores, but experts are now sounding the alarm. The app stores, among other things, keystroke patterns of its users—that is, the way someone types, including rhythm and speed. Such information could theoretically be used to identify individuals, or even detect their emotional state. This is a particularly disturbing development.

European regulators intervene

In Europe, privacy watchdogs are already responding. The Italian data protection authority completely blocked the app. According to them, the information DeepSeek provided about its data collection is “completely insufficient.” Ireland has also requested information, and the Netherlands announced a formal investigation on Friday.

Aleid Wolfsen, chair of the Dutch Data Protection Authority, emphasizes the seriousness of the matter: “We warn users to be extremely careful with this app. The privacy policy is not transparent, and it appears that personal data is not being processed fairly or securely.”

Russia: Privacy under state control

In Russia, on the other hand, the government approaches privacy from a completely different perspective. In recent years, the Russian state has established a strict legal framework for data management, but that framework primarily serves government objectives, such as domestic surveillance, censorship, and digital sovereignty.

Under Russian law, foreign tech companies are required to store Russian citizens’ data on servers within Russia – a policy that led to the blocking of platforms like LinkedIn. At the same time, Russian tech companies like VKontakte, Yandex, and Sber also collect vast amounts of user data. However, privacy protections for citizens are minimal, and there is little independent oversight of what the government or companies do with this data.

Russian experts point out that Russia is increasingly isolating its domestic data traffic from the outside world. This is creating a kind of digital intranet, giving the state complete control over information and communication. In this climate, privacy rights are being subordinated to national security and political stability.

AI is also playing an increasing role here: Russian developers are building systems for facial recognition in public spaces, behavioral analysis and profiling — often with little transparency or safeguards for citizens.

There is no such thing as “free”

DeepSeek is free, but that doesn’t mean users don’t pay for it. They pay with their data. Everything entered—text, speech, or images—is sent to servers in China. Unlike ChatGPT, for example, DeepSeek doesn’t offer an option to disable data sharing for training purposes.

In addition to the data entered, the app also collects background information such as IP address, device information, and operating system. Many apps do this, but DeepSeek goes a step further by also storing keystroke information.

DeepSeek also falls short in terms of security

According to the American cybersecurity firm Wiz, a serious data breach was recently discovered at DeepSeek. More than a million user chats were found to be freely accessible online. The breach has since been patched, but the data was so easily accessible that, according to Wiz, “it’s highly likely others have already accessed that information.”

Vulnerabilities in the AI model

These technical issues aren’t the only sore point. Researchers from Cisco and the University of Pennsylvania conducted a test with DeepSeek last weekend, exposing the model to fifty so-called jailbreak prompts —commands designed to bypass the built-in security systems of AI models.

While competitors like ChatGPT or Gemini managed to deflect many of these prompts, DeepSeek failed on all fronts. Its AI model failed to recognize a single one of the fifty malicious prompts, thus providing seamless access to instructions on topics such as hate speech, building explosives, and spreading propaganda.

A Cisco expert told Wired that DeepSeek has subordinated security to speed and market launch. And now the public seems to be paying for it in cash—not with money, but with their data and their digital security.