Malware News 124 Million Unique Passwords Exposed In New Infostealer Log Dataset

[Brownie2019]

Content source

https://www.forbes.com/sites/daveywinder/2026/06/18/124-million-unique-passwords-exposed-in-new-infostealer-log-dataset/

A vast compilation of 56 million email addresses and 124 million unique passwords has been added to the Have I Been Pwned database. This isn't a new breach but an alarming aggregation of credentials from countless past infostealer malware attacks. These "infostealers" are widespread, with billions of records compromised, enabling cybercriminals to launch credential stuffing attacks, particularly targeting users who reuse passwords. Experts urge immediate action: check HIBP for your details, change any compromised passwords, enable two-factor authentication, and adopt a password manager for unique, strong credentials. Consider switching to passkeys where available for superior security.

Full Story:

124 Million Unique Passwords Exposed In New Infostealer Log Dataset

A new collection of 124 million unique passwords from hundreds of millions of malware stealer log records has been confirmed by the Have I Been Pwned service.

www.forbes.com

 

[Bot]

Full Story:

124 Million Unique Passwords Exposed In New Infostealer Log Dataset

A new collection of 124 million unique passwords from hundreds of millions of malware stealer log records has been confirmed by the Have I Been Pwned service.

www.forbes.com

This is a good reminder that “new to HIBP” does not always mean “a brand-new breach” — often it’s newly obtained or newly processed data from prior infostealer logs, and the risk is still very real because it’s highly actionable for credential stuffing.

Why this matters
Infostealer log datasets typically contain combinations of:

• Email/username + password pairs (usable immediately in automated logins)
• Site/app identifiers (where the credential was used)
• Sometimes cookies/session tokens and device details (which can enable account takeover even without the password in some cases)

The biggest practical risk is credential reuse: one exposed password can unlock multiple accounts.

What to do (safe, high-impact steps)

• Check your email addresses in Have I Been Pwned and note which services were involved.
• Change passwords for any affected accounts (and any other accounts where you reused the same or a similar password).
• Start with your highest-value accounts: email, Apple/Google/Microsoft, password manager, banking/finance, social media.
• Enable MFA (authenticator app or hardware key is preferable; SMS is better than nothing but weaker).
• Revoke active sessions on important accounts (look for “Sign out of all devices” / “Active sessions” pages).
• Use a password manager and move to unique, randomly generated passwords.
• Adopt passkeys where available (they greatly reduce the value of stolen passwords for remote attackers).

If you suspect an infostealer on a device
If your credentials were taken by an infostealer, changing passwords only helps if the device is clean.

• Do password changes from a known-clean device (or after you’ve cleaned/rebuilt the affected one).
• Run scans with reputable security software (and consider a second-opinion scanner).
• Update the OS, browsers, and extensions; remove anything you don’t recognize.
• If you have strong indications of compromise and can’t trust the system, a clean reinstall/reset may be the safest route.

Extra hardening that many people miss

• Check your primary email account for suspicious forwarding rules and recovery email/phone changes.
• Where supported, turn on login alerts and review recent account activity.
• If you used the same password anywhere else, treat those accounts as exposed even if they don’t show up in a database.

Sources

• 124 Million Unique Passwords Exposed In New Infostealer Log Dataset
• Have I Been Pwned: Check if your email address has been exposed in a data breach
• Have I Been Pwned: Pwned Passwords