Have I Been Pwned has added 56.3 million email addresses and 124 million passwords to its breach database after a large collection of stolen credentials was found in infostealer malware logs. The data does not appear to come from one company breach. Instead, the login details were reportedly taken directly from infected computers and devices.
That makes this update especially important. Many people think password leaks only happen when a website or online service is hacked. This case shows another risk. If malware gets onto your computer, it can steal saved passwords, browser cookies, access tokens, and other sensitive data without you noticing.
The new records were added on June 15, 2026. Anyone who wants to check whether their email address appears in the dataset can use Have I Been Pwned. If your address or password appears, you should change affected passwords immediately and secure important accounts with two factor authentication.
Why this password leak is different
Many breach alerts come from attacks on companies, websites, or cloud services. In those cases, attackers steal information from a central database. This dataset is different because it comes from so called stealer logs.
Stealer logs are created when infostealer malware infects a device and collects stored login details. These logs can include passwords saved in browsers, session cookies, autofill data, tokens, and other private information.
That means the victim may not have done anything obvious on a hacked website. Their own PC may have been compromised, and the malware may have quietly collected credentials over time.
| Detail | Information |
|---|---|
| Emails added | 56.3 million |
| Passwords added | 124 million |
| Source type | Infostealer malware logs |
| Database updated | June 15, 2026 |
| Main risk | Stolen credentials from infected devices |
| Recommended action | Change passwords and enable two factor authentication |
Why infostealer malware is dangerous
Infostealers are widely used by cybercriminals because they are quiet, effective, and easy to profit from. Once installed on a Windows PC or another device, the malware can scan for saved credentials and send them to attackers.
The worst part is that many people do not know they are infected. A device can continue working normally while passwords and session data are being stolen in the background.
Attackers can use this information in several ways. They may try to log in directly to your email, social media, shopping, banking, or work accounts. They may also sell the stolen logs to other criminals. If you reuse passwords, one stolen login can expose several accounts at once.
How to check if your email or password was exposed
You can check your email address on Have I Been Pwned to see whether it appears in known breach datasets. The service also lets you sign up for alerts, so you can receive an email if your address appears in future leaks.
The password database works differently for safety reasons. It lets you check whether a password has appeared in known breaches without revealing the password itself in plain text. If a password appears in the database, you should stop using it.
Even if your email does not appear, it is still worth improving your password habits. Breach databases are useful, but they do not contain every stolen credential in the world.
What you should do if your data appears
If your email address or password appears in the latest dataset, act quickly. First, change the password on the affected account. Then change it anywhere else you used the same password.
This step matters because criminals often use credential stuffing attacks. They take leaked email and password combinations and try them on many other websites. If you reuse the same password, one leak can quickly become many account takeovers.
You should also enable two factor authentication on important accounts. This adds another layer of protection, because a stolen password alone may not be enough to log in.
How to protect your accounts going forward
The safest approach is to use a different strong password for every account. A password manager can help you create and store those passwords without needing to remember them all.
You should also avoid saving sensitive passwords in unsafe places, keep your browser and operating system updated, and be careful with unknown downloads, cracked software, fake installers, and suspicious email attachments. Many infostealer infections begin when someone installs something that looks harmless.
This breach update is a reminder that account security is not only about the services you use. Your own device also matters. If malware gets inside your PC, even strong online services may not protect saved credentials from being stolen.
Discussion (0)
Be the first to comment.