Data breach tracking website Have I Been Pwned? (HIPB) has added 244 million freshly stolen passwords compromised via infostealer malware to an already existing list of 199 million, impacting 284 million unique user accounts.
“We’ve also added 244M passwords we’ve never seen before to Pwned Passwords and updated the counts against another 199M that were already in there,” Hunt wrote. “They contain 23 billion rows with 493 million unique website and email address pairs, affecting 284M unique email addresses.”
The latest addition highlights the evolving threat of hackers continuously refining their tactics to target both organizations and consumers.
HIBP adds freshly stolen passwords
HIBP founder Troy Hunt stumbled upon the trove while analyzing 1.5 TB of stolen logs shared on the hacking Telegram channel ALIEN TXTBASE. The stash was shared in individual 744 independent files. Likely, the stolen passwords stemmed from new and old data breaches.
“While the size of this dataset is significant, it is not an outlier in the broader landscape of cybercrime. Threat intelligence teams regularly uncover similar data dumps, often composed of stolen information from previous breaches and infections,” said Victor Acin, Head of Threat Intel at Outpost24. “The fact that this dataset includes a mix of old and new credentials suggests that cybercriminals continue to recycle compromised data, increasing the risk of account takeovers for users who reuse passwords.”
Hunt confirmed the authenticity of the stolen passwords by triggering a password reset using the related email addresses to check if the domain would send a password reset email.
He requested users to check if their credentials were found in the infostealer malware logs and subscribe to HIBP notifications to receive more information about the origin of the leak.
However, Troy said HIBP could not display the domain name publicly for unsubscribed users to avoid exposing victims who use sensitive services. Doing so would also enable hackers to identify online services to target.
Website owners can also integrate two HIBP APIs to query users’ stolen passwords from infostealer malware logs using email addresses and domain names. However, the APIs operate on a paid subscription model targeting larger organizations that need to process vast amounts of data within a short time.
“Both these new APIs are orientated towards larger organizations and can return vast volumes of data,” Troy said.
Infostealer malware: A persistent challenge for organizations and consumers
Infostealer malware presents a persistent challenge for organizations and consumers by exposing hundreds of millions of account credentials. Infostealers spread through pirated software, infected innocuous downloads, malicious ads, and phishing.
During its February 4th CPX 2025 Vienna conference, Check Point Research said it had observed a 58% increase in infostealer malware targeting organizations in Europe, the Middle East, and Africa (EMEA).
The cybersecurity firm observed three infostealer malware strains AgentTesla, Lumma Stealer, and FormBook frequently deployed to steal user credentials.
In 2024, cybersecurity firm Kaspersky also found that over 10 million personal and corporate devices were infected with various strains of infostealer malware, marking a 643% increase in three years.
According to Kaspersky, using infostealer malware allowed attackers to steal an average of 50.9 login credentials per infected device.
The firm also found that stolen passwords and data from infected devices were frequently traded on underground forums, putting the victims at risk of various cyber attacks, including ransomware.
In 2021, HIBP also added 441,000 accounts whose stolen passwords were harvested using the Redline infostealer malware.
Meanwhile, organizations can protect themselves from infostealers by enforcing strong passwords, enabling multi-factor authentication, keeping software updated, and user awareness and training.
“For individuals, this reinforces the critical need for strong security practices, including unique passwords for each account, multi-factor authentication, and regular checks on services like Have I Been Pwned to monitor for potential exposure,” Acin added. “Organizations should also enhance their threat intelligence capabilities to track emerging risks from alternative platforms like Telegram and proactively secure their users’ data.”
