Full Report
In June 2026, a collection of accumulated stealer logs from various sources was added to HIBP. The corpus comprised 56M unique email addresses across hundreds of millions of stealer log records. The data also contained 124M unique passwords, which have been added to Pwned Passwords and are now searchable. Individuals can view any records captured against their email address in the stealer logs section of their dashboard. Organisations can see logs affecting their domain via the stealer logs API.
Analysis Summary
# Incident Report: June 2026 Stealer Logs Aggregation
## Executive Summary
In June 2026, the breach notification service "Have I Been Pwned" (HIBP) identified and processed a massive corpus of "stealer logs" aggregated from various illicit sources. The incident represents a significant credential harvest, exposing over 56 million unique email addresses and 124 million unique passwords captured via information-stealing malware. The outcome was the public indexing of these credentials to allow individuals and organizations to verify and remediate their exposure.
## Incident Details
- **Discovery Date:** June 15, 2026 (Date added to HIBP)
- **Incident Date:** June 2026
- **Affected Organization:** Global (Multiple organizations/users affected by various malware campaigns)
- **Sector:** Information Technology / Cybersecurity
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-June 2026 (Ongoing accumulation)
- **Vector:** Information-stealing malware (Infostealers)
- **Details:** Attackers utilized various malware strains to infect end-user devices, likely through phishing, cracked software, or malicious downloads, to scrape data from local browsers and applications.
### Lateral Movement
- **Details:** While the "stealer logs" themselves are the end product of local machine infection, they are frequently used by subsequent threat actors to perform credential stuffing or session hijacking to move laterally into corporate networks.
### Data Exfiltration/Impact
- **Details:** Hundreds of millions of records were exfiltrated from infected machines worldwide. This included a unique count of 56 million email addresses and 124 million passwords.
### Detection & Response
- **Discovery:** HIBP discovered or was provided with the accumulated corpus of logs from multiple "stealer" sources.
- **Response Actions:** HIBP parsed the data, de-duplicated 56.3 million accounts, and integrated the 124 million passwords into the "Pwned Passwords" database for public/enterprise searching.
## Attack Methodology
- **Initial Access:** Infostealer malware (RedLine, Vidar, Raccoon, etc.)
- **Persistence:** Local persistence on infected user accounts.
- **Credential Access:** Scraping saved credentials from web browsers, FTP clients, and VPN profiles.
- **Collection:** Automated harvesting of local SQLite databases and cookie stores.
- **Exfiltration:** Data sent via HTTP/S or Telegram bots to attacker-controlled C2 servers.
- **Impact:** Mass credential exposure and potential for downstream account takeovers (ATO).
## Impact Assessment
- **Financial:** High potential for secondary financial fraud via bank account access and corporate email compromise (BEC).
- **Data Breach:** Exposure of 56M unique emails and 124M unique passwords.
- **Operational:** Massive requirement for password resets and 2FA resets across affected services.
- **Reputational:** Confidence in digital security is degraded for users whose "secure" browsers were compromised.
## Indicators of Compromise
- **Network Indicators:** hxxps[://]haveibeenpwned[.]com (Official site for checking exposure). *Note: Specific malware C2s are not listed in the summary but were the original exfiltration points.*
- **Behavioral Indicators:** Large-volume credential stuffing attempts following the publication of such datasets.
## Response Actions
- **Containment:** HIBP ingested the data to "burn" the utility of the leaked passwords.
- **Eradication:** Users are advised to rotate compromised passwords immediately.
- **Recovery:** Implementation of Multi-Factor Authentication (MFA) to nullify the value of the stolen credentials.
## Lessons Learned
- **Key Takeaways:** Browser-saved passwords remain a high-value target for malware. Traditional antivirus may fail to stop "silent" infostealers.
- **Weaknesses:** Reliance on single-factor authentication (passwords) remains the primary driver for these campaigns.
## Recommendations
- **Avoid Saving Passwords in Browsers:** Transition to dedicated, encrypted password managers.
- **Enforce MFA:** Mandatory Multi-Factor Authentication (FIDO2/WebAuthn preferred) for all public-facing and internal corporate accounts.
- **Endpoint Protection:** Deploy robust Endpoint Detection and Response (EDR) to identify infostealer execution.
- **Monitoring:** Organizations should use the HIBP Stealer Logs API to monitor for domain-specific credential leaks in real-time.