124 million unique password confirmed in new infostealer database.gettyA dataset containing more than 56 million email addresses and 124 million unique passwords was added to the Have I Been Pwned database of compromised credentials on June 15. The staggering volume of stolen passwords was compiled from “hundreds of millions of stealer log records,” according to HIBP. This latest dataset, however, has not resulted from a new breach of any specific service or platform. Instead, it is a compilation of credentials from previous infostealer malware attacks, all in one place, available as a corpus of login data for cybercriminals to access and use in new exploits. Here’s what you need to know and do. ForbesMy Password Has Been Stolen—What Happens Next?By Davey WinderMillions Of Passwords Included In New Infostealer Log CompilationInfostealers are a kind of malware designed, as the name would suggest, to steal information; specifically, login credentials including passwords and authentication tokens. That there are so many logs of successful infostealer attacks is hardly surprising when you consider that malware-as-a-service platforms have lowered the barrier to entry for such threats to the point where anyone willing to pay a fee can execute them. According to KELA, a threat intelligence platform, almost 4 million unique devices were infected with infostealer malware during 2025, collectively yielding 347.5 million compromised credentials. When you added in compromised credentials from sources including databases of infostealer logs, however, KELA put that total at 2.86 billion records in all. Although it has not been disclosed precisely where the new dataset of infostealer logs originated or which malware was used in the original attacks, the fact that there are 124 unique passwords and 56 million unique emails should be cause for concern. This type of information can be used in what are known as credential stuffing attacks, where cybercriminals use software to try known legitimate passwords against multiple accounts associated with any given email address. If you have used the same password across different accounts or services that have been compromised in an attack on one of them, even if you have since changed your details for logging into the breached account, they are all now at risk if included in this latest corpus of stolen credential information. Check your passwords now at HIBPDavey WinderMORE FOR YOUHIBP recommended that you either search the Pwned Passwords database for specific passwords or use the HIBP dashboard to view any records that have been aligned with your email address. If any passwords are found to have been included, then you should change them immediately, assuming you have not done so already, if it is an old breach that you were already aware of, and apply two-factor authentication if it is available for your account.To which I would add, drawing on more than 35 years of cybersecurity experience, use a password manager: this will enable you to employ strong and unique passwords without needing to remember them all. And finally, switch to using a passkey if the option is available, as they are much harder to compromise and will not appear in these kinds of infostealer log collections.