The Best First Steps After a Massive Password Leak

In June 2026, researchers at Cybernews reported finding an unprotected database holding roughly 24 billion records — usernames, email addresses, plaintext passwords, and the login URLs they belonged to — across about 8.3 terabytes of data. Headlines called it another "mother of all breaches." If you saw the coverage and felt a jolt of panic, that's the wrong reaction. Panic doesn't fix anything; a 30-minute checklist does. Here's the calm, non-technical version of what to actually do.

First, an honest framing: a leak this size does not mean you specifically are in it. These mega-dumps are compilations stitched together from dozens of older breaches and malware logs, with heavy duplication, and the database in question was reportedly taken offline. Nobody can tell you for certain whether your particular password is in there. What's true is more useful: if you reuse passwords, some of your credentials have very likely leaked at some point — so the smart move is to act as if a few have, and close the easy doors. These steps help whether or not you're in this specific dataset.

Where this data comes from (and why it changes the fix)

Cybernews and Malwarebytes both noted that the bulk of this dump came from infostealer malware logs — not a single company being hacked, but credentials silently harvested from millions of individual infected devices and aggregated from sources like Telegram channels. That detail matters for your response: an infostealer steals passwords saved in your browser, session cookies, and autofill data straight off your own machine. So changing passwords isn't enough if the device doing the typing is compromised. The checklist below addresses both.

Step 1 — Check whether your email shows up in known breaches

Go to Have I Been Pwned (haveibeenpwned.com), a free, well-regarded service run by security researcher Troy Hunt, and enter your email address. It tells you which known breaches your address has appeared in. It won't reflect every private dump, but it's the fastest way to see your exposure and which accounts to prioritize. Do this for each email address you use.

Step 2 — Fix the dangerous part first: reused passwords

The single biggest risk from any leak is password reuse. Attackers take a leaked email-and-password pair and try it on dozens of other sites automatically — a technique called credential stuffing. One reused password can unlock your email, then your email can reset everything else.

Prioritize in this order:

1. Your primary email account — it's the master key that resets all the others.
2. Banking and anything with stored payment — bank, PayPal, shopping sites.
3. Accounts you've reused a password on — be honest about which those are.

For each, set a new, unique password you've never used elsewhere. Length beats complexity: a long passphrase of a few unrelated words is both stronger and easier than P@ssw0rd!.

Step 3 — Turn on two-factor authentication (2FA) where it counts

Two-factor authentication means a leaked password alone isn't enough — a thief also needs a second code. Enable it at minimum on your email, bank, and main social accounts. Where you can choose, prefer an authenticator app (or a hardware key) over SMS codes; SMS is better than nothing but can be intercepted via SIM-swap attacks. As Malwarebytes put it, MFA "can help protect accounts even if a password has been exposed."

Step 4 — Use a password manager so unique passwords are actually feasible

Nobody can remember 80 unique passwords — which is exactly why people reuse them. A password manager (such as Bitwarden, 1Password, or the manager built into your browser or phone) generates and stores a different strong password per site, and many will flag which of your saved passwords are reused or known-breached. Setting one up is the move that makes Steps 2 and 3 sustainable instead of a one-time scramble.

If you want a longer-term option, passkeys — a phishing-resistant login that replaces the password with a cryptographic key tied to your device — are now supported by Google, Apple, Microsoft and a growing list of sites. Adopt them where offered; they sidestep the whole leaked-password problem.

Step 5 — Because it's infostealer data, scan your devices

Since this dump was largely harvested by malware, do one thing password changes alone won't: run a reputable malware scan on your computer and phone, and remove anything suspicious. If a device is still infected, a thief can simply re-steal the new password you just set. Also clear saved passwords from a browser you no longer trust, and be wary of the delivery methods these infostealers use — pirated software, fake "download" buttons, sketchy browser extensions, and phishing attachments.

What you can safely ignore

• You don't need to change every password you own. Focus on email, money, and reused ones. Chasing all 200 accounts in a panic leads to giving up halfway.
• Don't pay for a "remove my data from the leak" service. Once data is compiled, it can't be recalled; your leverage is on your accounts, not the dump.
• Ignore urgent "your account was in the breach, click here" emails. Breach news is prime phishing bait. Go to sites directly by typing the address, never via a link in an alarming email.

FAQ

How do I know if I'm actually in this specific leak?

You generally can't confirm a specific private dump. Use Have I Been Pwned to see your known breach exposure, then act on reused passwords regardless — that protects you either way.

Is changing my password enough?

Not if the leak came from malware on your device, which this one largely did. Pair password changes with 2FA and a malware scan, or a still-infected device can leak the new password too.

Are password managers safe — isn't that putting all my eggs in one basket?

A reputable password manager encrypts your vault so only you can open it, and the alternative — reusing a handful of memorable passwords — is far riskier in practice. Protect it with a strong master password and 2FA.

Bottom line

A 24-billion-record headline sounds apocalyptic, but your response is small and boring: check your email on Have I Been Pwned, replace reused passwords starting with email and banking, switch on two-factor authentication, let a password manager carry the load, and scan your devices because this data came from malware. Do that once and you're better protected than the vast majority of people in any future leak — and there will be future leaks.

For more habits that quietly protect your accounts, see our roundup of common tech mistakes.

15 everyday tech mistakes to avoid

Sources and further reading