The data breach notification service Have I Been Pwned (HIBP) has added a large number of compromised login credentials to its database. In total, 56.3 million email addresses and 124 million passwords have been added.
What makes this dataset notable is its origin. Unlike many previous entries, it does not stem from a single cyberattack on an online service. Instead, HIBP says the information was extracted directly from infected computers and devices.
Data originates from so-called infostealer malware
The operator of Have I Been Pwned explains this is a collection of so-called “stealer logs.” These logs are generated by infostealer malware after it extracts login credentials stored on an infected system.
The update is based on hundreds of millions of individual stealer log records. From these, 56 million unique email addresses and 124 million unique passwords were identified. The passwords have also been added to the “Pwned Passwords” database, where they can be checked.
Have I Been Pwned does not specify which particular malware is behind the data collected. Nor does the service provide any further details regarding the original source of the data collection.
Why infostealers are particularly dangerous
Infostealers are among the most commonly used tools by cybercriminals. These malicious programs scan Windows PCs and other devices for stored passwords, browser data, cookies, access tokens, and other sensitive information.
Many users don’t realize their device has been infected. As a result, login details can be stolen over long periods of time without being noticed.
The latest dataset shows that login credentials can fall into the wrong hands not only through data breaches at companies, but also directly from users’ end devices.
How to check if your email address is affected
Anyone wishing to find out whether their email address appears in the new collection can check this via Have I Been Pwned. The service added the records to its database on June 15th, 2026.
Users can also sign up for automatic notifications. They will then receive an email alert if their address is found in future data breaches or datasets.
What you should do now
Anyone who finds their email address or password in the new data collection should act quickly. Change any affected passwords immediately, especially if you reuse them across other online services. This is what cybercriminals often rely on in so-called credential stuffing attacks.
Two-factor authentication (2FA) offers additional protection. With it, a stolen password alone is not enough to access an account. Many important services, such as email providers, social networks, and online shops, already support this additional layer of security.
As a general rule, it’s advisable to use a unique, strong password for each service. A password manager can help you create and manage secure passwords. This helps prevent a single beach from compromising several accounts at once.
Related posts:
15.8 million PayPal accounts at risk: stolen passwords put up for sale
Data breach at credit check giant 700Credit affects at least 5.6 million
CarGurus data breach affects 12.5 million accounts
NYC Health and Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people