56 million email addresses and 124 million passwords exposed, time to harden your logins

Troy Hunt’s Have I Been Pwned (HIBP) added a massive collection of infostealer malware logs to its database this month, comprising 56 million unique email addresses and 124 million unique passwords drawn from hundreds of millions of individual stealer log records. The passwords have been added to Pwned Passwords and are now searchable.

The scale of the leak is a reminder that credential theft is no longer a one-time event, it is a continuous industry. Akamai tracks 193 billion credential stuffing attempts per year globally. Attackers collect credentials through infostealer malware that silently extracts saved login data from browsers and password managers, then uses automated tools to replay them against other services, betting on password reuse.

If any of your passwords appear in this new dump, or if you are still reusing passwords across sites, here is what to do now.

Every account needs its own password. A password manager, whether standalone (1Password, Bitwarden) or built into your browser or phone, generates and stores unique credentials so you never need to remember or reuse one. There is no excuse for reuse in 2026; every major platform has a built-in password manager that syncs across devices.

Step two: enable two-factor authentication

A stolen password alone should not be enough to break into an account. Two-factor authentication adds a second check, typically a time-based code from an authenticator app, a hardware security key, or a biometric scan. Prioritise 2FA on email, banking, social media, and any account that stores payment information. Avoid SMS-based 2FA where possible; SIM-swap attacks remain a proven bypass.

Step three: switch to passkeys

Passkeys replace passwords entirely with cryptographic key pairs stored on your device. You authenticate with your face, fingerprint, or device PIN, nothing to type, nothing to leak. Apple, Google, and Microsoft all support passkeys across their platforms, and the FIDO Alliance reports that 65 per cent of organizations have deployed or are piloting passkeys for workforce access. For consumers, passkeys are supported on most major websites and continue to roll out.

Check your exposure

Visit haveibeenpwned.com and enter your email address to see if it appears in this or any other breach. For organizations, HIBP’s domain search and stealer logs API let security teams monitor credential exposure across their workforce.

The safest account is one an attacker cannot log into even with your password. That means unique credentials on every site, a second factor enabled, or better yet, no password at all.

Sources: Have I Been Pwned: June 2026 Stealer Logs (HIBP, June 2026); Credential Stuffing in 2026 (Lunar Cyber, May 2026); FIDO Alliance State of Passkeys 2026 (FIDO Alliance, May 2026)

Scroll to Top