124 Million Passwords Compromised by Infostealer

The data breach checking service Have I Been Pwned (HIBP) announced a significant expansion of its database on June 15, 2026. This new collection includes 124 million passwords and 56.3 million email addresses. These data do not stem from a single hacking incident but were directly captured from infected computers and devices. The information was gathered by so-called infostealer malware, which extracts stored credentials from the affected systems.

According to HIBP, this is a collection of stealer logs consisting of hundreds of millions of individual records. The newly identified email addresses and passwords have been added to the Pwned Passwords database, where they can be checked by users. The exact type of malware behind this data has not been specified by HIBP. Information regarding the original source of the data collection remains unclear. Infostealers are currently particularly dangerous as they are often used by cybercriminals to steal sensitive information.

The malware searches Windows PCs and other devices for stored passwords, browser data, cookies, and access tokens. A major issue is that many users do not notice when such malware has infiltrated their device. This allows credentials to be harvested unnoticed over extended periods. The current data collection highlights that credentials are at risk not only from data breaches at companies but also directly from users' end devices. Users who wish to check their email address in the new collection can do so via the Have I Been Pwned website.

The service also offers the option to register for automatic notifications. Anyone who finds their email address or passwords in the new collection should take immediate action. It is recommended to change affected passwords right away, especially if the same combination is used for other online services. Cybercriminals often exploit such combinations for credential stuffing attacks. Additionally, the use of two-factor authentication (2FA) is recommended to enhance account protection.

With this method, a stolen password alone is not sufficient to access an account. Implementing 2FA can significantly improve security. The threat posed by infostealer malware has increased in recent years, underscoring the need for users to review their security practices. The proliferation of such malware indicates that cybercrime is a growing problem affecting both individuals and businesses. According to HIBP, the new data represents one of the largest collections of compromised credentials ever recorded.

The security situation remains tense, and experts advise regularly changing passwords and updating security measures. The use of password managers can also help enhance security and facilitate credential management. The new collection from HIBP serves as another wake-up call for all internet users. The Have I Been Pwned database was updated on June 15, 2026, and users are urged to check their accounts immediately.