Stealer Logs Breach: 56M Emails & 124M Passwords (2026)

Overview

In June 2026, a massive collection of stealer logs - data harvested by information-stealing malware from infected computers - was added to Have I Been Pwned (HIBP). The corpus includes 56,278,397 unique email addresses and 124 million unique passwords, making it one of the largest credential dumps ever aggregated. Unlike a single-company breach, this dataset is a compilation of logs captured over time from thousands of compromised devices worldwide. Attackers typically use stealer malware to exfiltrate saved browser passwords, autofill data, and session tokens from infected systems.

What Was Exposed

• 56 million unique email addresses - these are the usernames or accounts logged into compromised devices.
• 124 million unique passwords - plaintext credentials captured from browser password managers, login forms, and saved sessions.
• Additional stealer log metadata (IP addresses, timestamps, device fingerprints) - this can help attackers correlate accounts.

Because the data was harvested directly from endpoint devices, passwords are in plaintext - not hashed or salted. This is far more dangerous than a typical server breach, where passwords are often encrypted.

How the Breach Happened

Stealer malware - such as RedLine, Vidar, or Raccoon - infects computers through phishing attachments, cracked software downloads, or drive-by downloads. Once active, the malware scrapes browser databases for saved credentials, autofill data, and browser cookies. The collected logs are then uploaded to attacker-controlled servers. In this case, an unknown party aggregated logs from multiple campaigns over time, likely for sale or research purposes, before disclosing them to HIBP. There was no single vulnerability or corporate breach; rather, this represents a systemic failure in device-level security.

Account Takeover Risks

With plaintext passwords and email addresses publicly available, attackers can immediately attempt credential stuffing - trying the same email-password pair across hundreds of services. If you reuse passwords across accounts, one compromised device could lead to takeovers of your email, banking, social media, and work accounts. The 124 million unique passwords have also been added to Pwned Passwords, meaning any organization checking new user passwords against that database will flag these as compromised.

How to Check If You’re Affected

Visit Have I Been Pwned and enter your email address. If your email appears in the stealer logs, HIBP will show which domains or services were captured. Organizations can also use the Stealer Logs API to check for logs tied to their corporate domain. This is especially critical for businesses: stealer logs from employee devices can expose corporate credentials and sensitive internal systems.

What to Do Right Now

If your email appears in the dataset:

1. Change every password that matches the exposed password immediately. Prioritize email, banking, and work accounts.
2. Enable multi-factor authentication (MFA) on all accounts that support it - especially email, which is the reset key for everything else.
3. Scan your devices for malware using a reputable antivirus or endpoint detection tool. Stealer malware may still be active.
4. Use a password manager to generate and store unique, complex passwords for every account. Never reuse passwords.
5. Check for session hijacking - if your browser cookies were exfiltrated, attackers may still have active sessions. Log out of all devices and re-authenticate.

For businesses: immediately investigate any employee whose email appears in the logs. Enforce MFA company-wide and consider a mandatory password reset for all accounts tied to that domain.

Security Insight

This breach underscores a fundamental truth: no company can protect your credentials if they are stolen directly from your device. Stealer logs bypass encryption, server-side security, and even zero-trust architectures because the attacker already has the user’s plaintext password. The 124 million passwords added to Pwned Passwords will help companies block newly compromised credentials, but the real lesson is that credential hygiene must evolve beyond passwords alone. Hardware-bound passkeys and phishing-resistant MFA are the only reliable defense against this class of attacks.

Further Reading

• All Critical Breaches
• Recent Data Breaches