Millions of online accounts may be at risk after a massive trove of stolen login credentials surfaced online.
The newly uncovered collection contains more than 56 million email addresses and 124 million passwords harvested from infected devices around the world.
The records were added to Have I Been Pwned (HIBP), a service that allows users to check whether their personal information has been exposed.
Unlike many major leaks, the data did not originate from a hack targeting a single company or website. Instead, the credentials were pulled directly from computers compromised by so-called infostealer malware.
These malicious programs quietly scour infected devices for saved passwords, browser data, cookies and other sensitive information before sending it back to cybercriminals.
HIBP said the dataset was compiled from hundreds of millions of individual stealer logs, resulting in 56.3 million unique email addresses and 124 million unique passwords.
The discovery highlights a growing threat in which hackers can steal login credentials directly from victims’ devices without ever breaching the online services they use.
Users can find out whether their email address appears in the newly uncovered trove by searching Have I Been Pwned, which incorporated the records into its database on June 15.
The newly uncovered collection contains more than 56 million email addresses and 124 million passwords harvested from infected devices around the world
HIBP urged users who found their credentials were compromised to change their passwords immediately on every account where they were used.
‘Use a password manager to generate and store strong, unique passwords for all your accounts,’ HIBP said in a blog post.
‘1Password helps protect your data with industry-leading security.’
Security experts also recommend enabling two-factor authentication, which requires a second form of verification and can prevent hackers from accessing an account even if they have the password.
HIBP said the newly added records came from so-called “stealer logs” generated by infostealer malware after it harvests login credentials from infected devices.
The dataset was compiled from hundreds of millions of those records, allowing researchers to identify unique email addresses and passwords.
The passwords have since been added to the site’s Pwned Passwords database, where users can check whether their credentials have been exposed.
HIBP did not identify the specific malware responsible for collecting the data or disclose where the records were originally obtained.
HIBP urged users who found their credentials were compromised to change their passwords immediately on every account where they were used
Infostealers have become one of the most widely used tools among cybercriminals because they can quietly siphon sensitive information directly from victims’ devices.
The malware scans computers for saved passwords, browser data, cookies, access tokens and other personal information that can be used to hijack online accounts or carry out further attacks.
In November, HIBP compiled a collection of 1.3 billion passwords alongside nearly two billion email addresses has been exposed online.
With more than 5.5 billion people worldwide using the internet, researchers warned that everyone should change their passwords as a precaution.
The records combined past breaches with credential-stuffing lists, a type of data used by attackers to try stolen passwords across multiple accounts.
HIBP verified the dataset by checking actual users’ credentials. Many passwords were old or unused, but others were still actively protecting accounts, illustrating the real-world risk.
