Millions of internet users are being urged to check their accounts after a huge cache of stolen login details was uncovered online, exposing more than 56 million email addresses and 124 million passwords.
The leaked credentials have now been added to the database of Have I Been Pwned (HIBP), a popular website that lets people check whether their personal information has been caught up in a data breach.
Unlike previous mega leaks that targeted a single company, this trove was collected through infostealer malware, a growing cyber threat that secretly infects computers and steals sensitive data directly from victims.
These malicious programs search infected devices for saved passwords, browser information, cookies, access tokens and other personal details before sending them to cybercriminals.
According to HIBP, the newly added records came from hundreds of millions of individual malware logs gathered from compromised devices worldwide. Researchers identified 56.3 million unique email addresses and 124 million unique passwords within the dataset.
The discovery highlights a worrying shift in cybercrime. Instead of attacking major websites, criminals are increasingly targeting individual users, harvesting credentials straight from their computers and phones.
Anyone can check whether their email address appears in the leaked records by searching the Have I Been Pwned database. Security experts warn that anyone whose details have been exposed should immediately change passwords on all affected accounts.
Experts also recommend using a password manager to create strong and unique passwords for every account. Reusing the same password across multiple websites can allow hackers to gain access to several accounts from a single leak.
Another key defence is enabling two factor authentication, which adds an extra layer of security by requiring a second verification step. Even if criminals obtain a password, they may still be blocked from accessing the account.
HIBP has also added the exposed passwords to its Pwned Passwords database, allowing users to check whether their chosen passwords have previously appeared in cybercrime datasets.
While researchers have not identified the specific malware responsible for collecting the information, the leak serves as another stark reminder of the growing threat posed by infostealers, which have become one of the most effective tools in the cybercriminal arsenal.
