The era of hacking corporate databases may be giving way to something far more direct.
Have I Been Pwned has added a massive collection of infostealer malware records containing 124 million passwords and 56 million email accounts. The credentials came from stealer logs created by malware that harvests sensitive information from infected devices.
The dataset offers a snapshot of how cybercriminal tactics are evolving. As infostealer malware becomes more widespread, attackers are increasingly bypassing organizations altogether and collecting credentials directly from users, creating fresh and simpler opportunities for account takeovers and broader cyberattacks.
What happened and why it matters
The most striking detail isn’t when the data appeared — it’s how much of it exists. 56 million unique email addresses and 124 million unique passwords were included in the infostealer dataset added to Have I Been Pwned.
While the collection was added on June 15, the platform did not specify when the credentials were originally stolen. What is clear is that the records came from malware-infected devices rather than corporate breaches, reflecting a growing shift toward endpoint-focused credential theft.
Infostealer is a type of malware designed to silently steal credentials from an infected device. That includes passwords, email addresses, usernames, and authentication tokens. In some cases, after compressing the stolen credentials into a stealer log and exfiltrating them to attacker-specified destinations, the malware auto-deletes the log file to evade detection.
The stolen credentials were either sold on the dark web or used to take over victims’ accounts. This matters because passwords stored on computers are typically not hashed and can grant access to corporate accounts on devices used for work, which can snowball into something bigger, as seen in some recent corporate attacks.
How to know if you are compromised
Have I Been Pwned also did not assign a name to this massive credential theft, but it provides a way for anyone to check whether they are compromised.
Using the password check
- Visit Have I Been Pwned.
- Enter a password you suspect has been compromised (there is no limit to the number of passwords you can check).
- Have I Been Pwned will run a database check and tell you whether the password returns a match.
It is worth noting that if your password returns a match, that does not necessarily mean the password is yours, especially if it is a weak password that others could use. Still, you need to replace that password with a stronger one.
Using the email address check
- Visit Have I Been Pwned.
- Enter your email address.
- The platform will check its database and return feedback.
If your email address is found in a data breach, Have I Been Pwned will return the incident name. If your address is listed in this month’s dataset, you will also find it there.
You can also sign up to receive automated alerts when your email is involved in a future compromise.
Also read: Infinite Campus said a Salesforce breach exposed 137,000 school staff records, adding to concerns over SaaS data security.