Skip to content
Advisories

Billions of Passwords Leaked: How to Check If Yours Is Exposed

Billions of Passwords Leaked: How to Check If Yours Is Exposed

If you have ever reused a password, this is the week to fix it. Researchers have uncovered one of the largest collections of stolen login data ever found online — a single, unsecured database holding roughly 24 billion records. With billions of passwords leaked into one place, the odds that at least one of your old logins is sitting in a file like this are uncomfortably high.

The reassuring part: the exposed database has already been pulled offline, and protecting yourself takes only a handful of practical steps. This advisory covers what was found, why this particular leak is more dangerous than the usual breach headlines, how to check whether your details are exposed, and exactly what to do next.

What Researchers Found

Security researchers at Cybernews discovered a publicly accessible database — more than 8 terabytes of data totalling around 24 billion records — sitting open on the internet before it was taken offline. The information was pulled together from 36 different sources, including Telegram channels, older breach compilations, and huge collections of infostealer logs harvested from infected computers.

To put that in context, this sits alongside the so-called “mother of all breaches” — a 16-billion-record trove found in 2025 and an even larger collection before it. Researchers could not fully remove duplicates before the data was taken down, so the number of unique victims is lower than the headline figure. Even so, with this many credentials and billions of passwords leaked together, almost anyone who has used online services for a few years likely has something in a dataset like this.

Worryingly, the person maintaining the hoard appeared to be actively updating it — it even contained logs of recent security-news articles and known software vulnerabilities. That suggests it was built either as a commercial monitoring service or, more likely, as an attacker’s working toolkit for breaking into accounts.

Why This Leak Is More Dangerous Than Most

Most breach headlines involve old, static data: a list of emails and scrambled passwords from a company hacked years ago. This collection is different, because the bulk of it comes from infostealer logs, which are fresh and far more useful to criminals.

Infostealer malware silently siphons data straight off an infected computer. A typical log contains the victim’s usernames, their passwords in plain text, the exact login pages those credentials unlock, and sometimes active session cookies and device fingerprints. That last detail matters: a stolen session cookie can let an attacker step straight into an account without needing the password or even your two-factor code.

Because the data is current and neatly organised, it is ideal fuel for “credential stuffing” — automated tools that try your leaked email-and-password combination across hundreds of other websites until one lets them in.

Stolen credentials sit behind roughly a fifth of all confirmed breaches, according to widely cited industry research. That is exactly why a leak on this scale deserves a calm, deliberate response rather than a shrug or a panic.

How to Check If Your Passwords Leaked

The quickest way to find out whether you are caught up in this is to check your email address against a reputable breach-notification service. The free Have I Been Pwned website lets you enter an email and see which known breaches and leaks include it, and it added 56.3 million email addresses and 124 million unique passwords from this infostealer data on 15 June 2026.

Enter every address you use, not just your main one. If an email turns up, treat any password you have ever paired with it as compromised. Our guide on how to check if your email has been hacked walks through the warning signs in more detail, and a dark web monitoring service can alert you automatically if your details resurface in future.

Many password managers and modern browsers also include a built-in breach check that flags reused or exposed passwords as you log in. If you have that feature, turn it on — it quietly does this checking for you on every account you save.

What to Do Right Now

There is no need to panic, but it is worth acting methodically. Work through these steps in order, starting with the accounts that matter most:

  1. Change reused passwords first, beginning with your email, your bank, and anything tied to money. Your email is the master key — if it falls, attackers can reset everything else.
  2. Give every important account its own unique password. A password manager generates and stores these for you, so you never have to reuse or remember one again.
  3. Turn on multi-factor authentication everywhere it is offered. A leaked password is far less useful when a second factor is also required to log in.
  4. Where it is supported, switch to passkeys instead of passwords, which cannot be reused, guessed, or phished the way a password can.

For your most sensitive accounts, a hardware security key adds the strongest protection available. Working through this short list once turns an alarming headline into a closed chapter — and leaves you in a far better position than you were before the news broke.

The Real Lesson: Keep Infostealers Off Your PC

Because so much of this leak came from infostealer malware, the most valuable long-term takeaway is keeping that malware off your own machine in the first place. These infections usually arrive through cracked or pirated software, fake “free download” pages, malicious browser extensions, and booby-trapped email attachments.

Be especially wary of any website that asks you to paste commands into the Run box or a terminal to “verify” or “fix” something — that is a common trick for delivering exactly this kind of password-stealing malware. Keep Windows and your browser fully updated, run a reputable security scan if anything feels off, and lean on the habits in our complete guide to security and privacy.

One important caveat: if you suspect a device is already infected, changing your passwords from that same machine is pointless, because the malware will simply capture the new ones too. Clean the computer first, then change your passwords from a device you trust.

After a Leak, Expect More Phishing

A leak like this does not end when the database goes offline. Criminals use exposed email addresses and old passwords to craft convincing phishing messages and to attempt account takeovers across the web. Expect a possible uptick in emails that already know your name, or even quote an old password, to pressure you into clicking a link or making a payment.

Slow down with any unexpected “security alert,” invoice, or password-reset message, and reach services by typing their address directly rather than following a link. Our guide to preventing account takeover covers the warning signs, and the NCSC website has resources you may find useful for locking down your accounts. If you believe your identity has already been misused, our notes on identity theft recovery explain the steps to take.

Billions of Passwords Leaked: Your Questions Answered

Were my passwords actually leaked in this?

Possibly. Researchers could not confirm exactly whose data was included, so the safest move is to check your email addresses on a breach-notification service. If any of them appear, or if you have reused passwords, assume those passwords are exposed and change them.

Is the leaked data still online?

The specific exposed database was taken offline shortly after it was discovered. However, copies of credential collections like this circulate widely, and the underlying stolen passwords do not expire. Reused passwords remain at risk regardless of whether this particular database is reachable today.

Do I really need to change every single password?

No. Focus first on any password you have reused and on your most important accounts — email, banking, and anything financial. From there, the goal is simply to give each account a unique password going forward so that one leak can never unlock the rest.

Does two-factor authentication still protect me?

Yes, strongly. Multi-factor authentication blocks the vast majority of attacks that rely on a stolen password alone. Be aware that stolen session cookies can occasionally sidestep it, which is why passkeys and hardware keys are even safer for your most critical accounts.

With billions of passwords leaked, the headline sounds frightening — but the response is genuinely simple. Check your exposure, retire your reused passwords, switch on multi-factor authentication, and keep your devices clean. Do that today, and a record-breaking leak becomes little more than a useful reminder to tighten up.

Nikolas Lamprou

Nikolas Lamprou (MSc; GCFR, SC-200, Security+) has been working with computers professionally since 2009 — starting with web development and e-commerce, and moving into cybersecurity over the years. Based in Greece, he brings over 15 years of real-world IT experience to SolveTechToday, where he writes about Windows fixes, software reviews, security tools, and AI applications. His goal is straightforward: cut through the noise and give readers clear, honest guidance on the tech decisions that matter.

Stay Ahead

Fix your next problem before it starts

Get the week's best Windows fixes, software picks, and security guides delivered straight to your inbox. No noise, just solutions.

Press ESC to close · Try "Windows 11" or "Chrome"