18/06/2026
Share:
18/06/2026
Share:
LONDON, Jun 18: Millions of internet users could be at risk after a huge collection of stolen login credentials, including 56 million email addresses and 124 million passwords, was discovered online and added to the database of breach-monitoring service Have I Been Pwned (HIBP).
Unlike traditional data breaches involving a single company or website, the newly uncovered information was collected from devices infected with infostealer malware — malicious software that secretly extracts sensitive information directly from users’ computers.
According to HIBP, the dataset was compiled from hundreds of millions of “stealer logs” generated by infected devices. The collection contains 56.3 million unique email addresses and 124 million unique passwords, highlighting the growing threat of malware that targets individuals rather than online platforms.
Infostealer malware can quietly scan infected computers for saved browser passwords, cookies, authentication tokens and other sensitive data before sending the information to cybercriminals. The stolen credentials can then be used to access email accounts, social media profiles, financial services and other online platforms.
HIBP added the records to its database on June 15, allowing users to check whether their email addresses or passwords appear in the leaked collection.
Security experts advised users whose credentials have been exposed to immediately change their passwords on all accounts that use the same login details. They also recommended using password managers to create unique passwords and enabling two-factor authentication (2FA) to add layer of security.
HIBP said the source of the stolen data and the specific malware responsible for collecting the information have not been identified. However, researchers warned that infostealers have become one of the most common tools used by cybercriminals because they allow attackers to steal credentials without directly breaking into websites.
The latest discovery follows previous large-scale credential exposures, including collections containing billions of leaked email addresses and passwords compiled from past breaches and credential-stuffing databases.
Cybersecurity specialists warned that reused passwords remain one of the biggest risks, as criminals often test stolen credentials across multiple services to hijack accounts. Users are urged to regularly update passwords and avoid using the same password across different platforms.
