Skip to main content
Limp Secure VPN
All news

16 Billion Passwords Leaked in 2026: What to Do Now

16 Billion Passwords Leaked in 2026: What to Do Now

In short: In mid-2026, researchers found tens of billions of stolen logins and passwords sitting in the open — mostly infostealer malware logs and old breaches bundled together. This is not one new hack but an aggregation of previously stolen data. Check whether your email appears in known leaks, change passwords on your important accounts, and turn on two-factor authentication.

What actually happened

In June 2026, Cybernews researchers reported an exposed database of roughly 24 billion records totalling 8.3 TB. Earlier the same month, reports described a compilation of 16 billion credentials — different slices of the same wave of leaked logins. The data was assembled from at least 36 sources: Telegram channels, past breaches and, above all, infostealer logs — malware that steals data straight from the browsers of infected devices.

The key point: this is not a fresh hack of a single company but an aggregation of previously stolen data. The database was taken offline after discovery, but copies of such collections keep circulating on criminal marketplaces. We break down how network privacy works on our blog.

Why it is dangerous even if the data is old

Many passwords in these dumps are stored in plain text. If you have reused the same password across sites for years, an attacker only has to feed each email-and-password pair into hundreds of services automatically — this is called credential stuffing. One old password unlocks every account where it repeats.

Infostealer logs are worse than plain password lists: alongside logins they hold active session cookies and tokens that can sometimes let an attacker sign in while bypassing two-factor authentication, plus autofill data and a device fingerprint. So even enabled 2FA does not remove the need to change passwords and end stray sessions.

Where these databases come from: infostealers

An infostealer is malware that lands on a device disguised as a cracked game, pirated software, a fake update or an email attachment. Once inside, within seconds it dumps saved browser passwords, cookies, autofill history and sometimes crypto-wallet data, then ships it all to the operator. Those logs are later merged, resold and eventually leaked into mega-databases like this one.

The takeaway: the leak does not happen on the website side but on your device. So protection starts with device hygiene, not only with how secure a given service is.

How do I check if my data leaked?

Enter your email address on Have I Been Pwned — it shows which known breaches your address appears in, and data from this wave has already been added there. If your email is found, treat every password you may have used with it as compromised, and change the email password first — it is the account others are recovered through.

How to protect yourself, step by step

A unique password for every site. A password manager creates and stores long random passwords so that one leaked service does not drag the rest down with it.

Two-factor authentication everywhere. Prefer an authenticator app or a hardware key over SMS. It stops most automated credential-stuffing attempts.

Keep the device clean. Do not install pirated software or cracks, do not open attachments from strangers, and keep your system and browser updated — that is exactly how infostealers get in.

Shrink your tracking surface. A VPN helps here: it encrypts your traffic on untrusted networks so logins cannot be intercepted in transit, and hides your real IP from sites and your provider. To be honest — a VPN will not remove malware from your device or replace a password manager — but it covers the network half of the problem. See how we do it on the features page.

Sources

This report is based on coverage by Cybernews (24 billion credentials), Cybernews (16 billion passwords) and Malwarebytes from June 2026.