Morning Overview

About 24 billion stolen passwords surfaced online, and yours may be among them

Security researchers say a newly discovered database has exposed roughly 24 billion stolen records online, one of the largest single collections of leaked credentials ever cataloged. According to Malwarebytes, the trove was assembled from dozens of sources and is dominated by so-called infostealer logs — usernames, passwords and the services those credentials unlock.

Numbers this large can blur into abstraction, but the practical meaning is concrete: an enormous share of the passwords people use every day are now sitting in criminal hands, ready to be tried against banking, email and shopping accounts. Aggregated dumps like this turn scattered breaches into a single searchable weapon, which is what makes them so dangerous even when much of the underlying data is old.

What is actually in the dump

The collection was built from 36 sources, including Telegram channels, compilations of earlier breaches, and logs harvested by information-stealing malware. Because so much of it comes from infostealers rather than a single hacked company, the exposure spans an enormous range of online services, from email and social media to banking and government portals.

Infostealer malware is a particularly insidious source because it captures credentials directly from an infected device as the user types them, along with session data that can sometimes bypass passwords entirely. That means the leaked material is not limited to one company’s customer list; it reflects whatever the victims logged into on a compromised machine, cutting across every service they used.

Why reused passwords are the real danger

The immediate risk is not that one site was breached but that criminals can try leaked username-and-password pairs across many services. When people reuse the same password, a single old leak can open the door to accounts that were never directly compromised, a technique known as credential stuffing that powers account takeovers, identity theft and targeted phishing.

Automated tools let criminals test billions of stolen pairs against countless sites in a short time, and every reused password multiplies the damage from a single leak. That is why security professionals treat password reuse as one of the most consequential habits an ordinary user can change — it converts one breach into a skeleton key for a person’s entire online life.

What to do now

Researchers advise treating the leak as a prompt to change reused passwords, enable two-factor authentication, and move toward a password manager or passkeys where available. Free tools that check whether an email address appears in known breaches can help users prioritize which accounts to secure first. The database itself is reportedly no longer publicly accessible, but the credentials inside it can circulate indefinitely once copied.

Two-factor authentication is especially valuable because it can block an account takeover even when a password is known, requiring a second step the attacker does not have. Passkeys, which replace passwords with cryptographic keys tied to a device, go a step further by removing the reusable secret altogether. Adopting either meaningfully reduces the odds that a leak like this one turns into a personal disaster.

This article was researched with the help of AI, with human editors creating the final content.