News

Billions of stolen passwords found online: Here’s what to do  

Jun 30, 2026

Billions of stolen usernames, email addresses, and passwords have been found online. Find out how to check whether your information may have been exposed and the simple steps you can take to protect your accounts.

pexels szaboviktor 7662054

What’s happened 

A huge collection of stolen usernames, email addresses, and passwords have recently been discovered online. The database contained around 24 billion login records gathered from multiple sources, including previous data breaches and information stolen from devices infected with malware.

 While the database has since been removed, the information it contained may still be circulating online and could be used by cyber criminals.  

Researchers believe the data came from a mix of older data breaches, and more recent data from "infostealer” malware. 

Infostealers are a type of malicious software designed to collect information from an infected device. They can steal passwords saved in your browser, login details, autofill information, and other sensitive data.  

This means some people may have had information from multiple accounts exposed in one place. 

Why this data breach matters 

If cyber criminals have access to your email address and password, they may try using those details to access your accounts. This is especially risky if you reuse the same password across multiple websites or services.

 Cyber criminals often use automated tools to test stolen login details on email, social media, shopping, banking, and work accounts. This is known as credential stuffing. 

The more information they have about you, the easier it can be to target you with convincing scams, phishing emails, or account takeover attempts. 

How to check if your information has been exposed 

Firstly, you can check whether your email address has appeared in a known data breach. 

Visit our new tool How Exposed Am I? Own Your Online(external link) to check your email address.

 If your information appears in a breach, don’t panic. There are steps you can take to secure your accounts. 

What you should do now to protect yourself

  • Change any exposed passwords

    If you discover a password has been exposed, change it immediately. 

    Start with your most important accounts, including:

    • Email accounts
    • Online banking
    • Social media accounts
    • Shopping accounts 

    Use a long, strong and unique password for every account. If one password is compromised, using different passwords helps protect your other accounts.

    Create good passwords 

  • Turn on multi-factor authentication (2FA/MFA)

    Multi-factor authentication adds an extra layer of security to your accounts. 

    Even if someone learns your password, MFA can make it much harder for them to gain access. 

    Prioritise enabling MFA on: 

    • Email accounts
    • Banking services
    • Social media accounts
    • Work accounts 

    Use two-factor authentication to protect your accounts

  • Be alert for scams

    Scammers may use exposed information to make their scams more convincing. 

    Be cautious of unexpected emails, text messages, or phone calls claiming to help you through the data breach. This is referred to as a recovery room scam.

    Protect yourself from recovery room scams