124 Million Stolen Passwords Enter HIBP Database

A massive collection of stolen login credentials containing more than 56 million email addresses and 124 million unique passwords has been added to the Have I Been Pwned (HIBP) database, highlighting the ongoing threat posed by infostealer malware. The dataset was incorporated into HIBP on June 15 and represents one of the largest compilations of compromised credentials gathered from previous cyberattacks.

The newly added records are not linked to a fresh breach of a particular company, platform, or online service. Instead, they originate from a vast aggregation of credentials harvested through numerous infostealer malware campaigns over time. By bringing these records together into a single collection, the dataset provides a valuable resource that cybercriminals could potentially exploit in future attacks.

Infostealers are malicious programs specifically designed to capture sensitive information from infected devices, including usernames, passwords, and authentication tokens. Their spread has accelerated in recent years as malware-as-a-service operations have made sophisticated cybercrime tools accessible to a broader range of threat actors.

According to threat intelligence firm KELA, nearly 4 million unique devices were infected with infostealer malware during 2025. Those infections resulted in approximately 347.5 million compromised credentials. When combined with credentials obtained from databases containing infostealer logs and related sources, KELA estimated the total number of exposed records reached 2.86 billion.

Details regarding the origin of the newly added dataset, including the specific malware strains responsible for collecting the credentials, have not been disclosed. However, cybersecurity experts warn that the combination of 56 million unique email addresses and 124 million unique passwords presents a significant risk to internet users.

The information can be leveraged in credential stuffing attacks, a technique in which attackers automatically test known email and password combinations across multiple online services. Individuals who reuse the same password on different accounts face the greatest danger, as a single compromised credential can potentially provide access to several unrelated services.

Have I Been Pwned advises users to check whether their email addresses or passwords appear in the database using its available tools. Anyone whose credentials are identified in the collection should immediately change affected passwords and enable two-factor authentication wherever possible to strengthen account security.

Cybersecurity professionals also recommend adopting password managers to generate and store strong, unique passwords for every account. In addition, users are encouraged to switch to passkeys when supported by online services, as passkeys are significantly more resistant to compromise and are not vulnerable to inclusion in stolen password databases such as infostealer log collections.