Some links in this post are affiliate links. If you buy through them we may earn a small commission at no extra cost to you. See our affiliate disclosure for the details.
News that 24 billion passwords leaked online has been spreading fast this past week, and honestly it made me sit up. Researchers found a single exposed database holding roughly 24 billion stolen credential records, just sitting in one giant pile for anyone who knew where to look. That’s billions of usernames and passwords. If you’ve ever reused a password (and most of us have), this is worth ten minutes of your day.
Quick answer: A misconfigured server leaked about 24 billion login records, mostly stolen by password-stealing malware. Nobody hacked Google or Apple directly. To stay safe, change reused passwords, turn on two-factor authentication, and start using a password manager today.
What actually happened with the 24 billion passwords leaked
Here’s the short version. Security researchers at Cybernews spotted an open Elasticsearch cluster on June 12, 2026. It held more than 8 terabytes of data and around 24 billion records, including usernames, passwords, and the websites those logins belonged to. The server had no password and no firewall in front of it, so basically anyone who stumbled onto it could read the whole thing.
The data wasn’t one fresh hack. It was a giant compilation pulled from about 36 different sources, including old breach dumps, Telegram channels, and a huge volume of infostealer logs. Infostealers are a type of malware that quietly grabs the passwords saved in your browser and ships them off to whoever planted it. One detail that stuck with me: the cluster contained a news article from February 2026, which tells researchers the operator was still feeding it fresh stolen data right up until it was found.
You’ll see headlines bouncing between “16 billion” and “24 billion” because there have been a couple of these mega-compilations surface this year. The exact count matters less than the takeaway. There is an enormous, constantly growing pool of real login details out there, and a lot of it still works.
Why a credential leak like this is more dangerous than it sounds
You might think, my accounts weren’t named, so I’m fine. Not quite. The real threat here is something called credential stuffing. Attackers take those leaked email-and-password pairs and run automated bots that try them across banking sites, email providers, online stores, and social media. They’re betting that you used the same password in more than one place.
And that bet pays off way too often. If your Netflix password is also your email password, one old leak can hand someone the keys to your inbox. From there they can reset your other logins and lock you out. Security teams are already warning that this leak will fuel a fresh wave of these automated login attacks. The hackers don’t need to be clever. They just need you to have repeated yourself.
7 smart steps to protect yourself right now
None of this requires you to be a tech wizard. Work through the list and you’ll be in far better shape than most people by the time you finish your coffee.
1. Find out if your info is already out there
Start with Have I Been Pwned. Type in your email and it’ll show you which known breaches included your address. It’s free and it takes about thirty seconds. If your email shows up in a bunch of breaches, treat every password tied to it as compromised.
2. Kill your reused passwords
This is the big one. Make a short list of your most important accounts: primary email, bank, anything with your card saved, your main social profiles. Give each one a brand new, unique password. If you only do one thing from this whole list, do this for your email, because your email is the recovery point for everything else.
3. Let a password manager do the heavy lifting
Nobody can remember forty unique passwords, and you shouldn’t try. A good password manager generates long random passwords and fills them in for you, so the only thing you memorize is one strong master password. Most of the well-known ones use zero-knowledge encryption, meaning even the company can’t read your vault. I switched years ago and honestly wish I’d done it sooner.
4. Turn on two-factor authentication everywhere it’s offered
Two-factor authentication (2FA) means a stolen password alone isn’t enough to get in. The attacker also needs a second code. App-based codes from something like Google Authenticator or Authy beat text-message codes, which can be intercepted. Switch on 2FA for your email and bank first, then work down the list.
5. Use a hardware security key for your most important accounts
If you want the strongest 2FA there is, a physical security key is hard to beat. It’s a little device that plugs into a USB port or taps your phone, and a remote attacker simply can’t log in without it in hand. Phishing sites can’t trick it the way they can trick a typed code. A FIDO2 hardware security key is one of the best upgrades you can make for your email and password manager. I keep one on my keychain and a backup in a drawer at home, because if you only own one and lose it, you’re locked out.
6. Start moving to passkeys
Passkeys are the newer, passwordless way to log in, and Apple, Google, and Microsoft all support them now. Instead of a password that can be leaked, your phone or laptop proves it’s you using face or fingerprint. There’s nothing for an infostealer to grab and nothing to type into a fake site. Wherever a service offers a passkey, take it.
7. Clean infostealers off your devices
Remember, a big chunk of this leak came from malware sitting on regular people’s computers. Run a full scan with reputable security software, be careful with “free” cracked software and sketchy browser extensions, and keep your operating system and browser updated. A leaked password is bad. A device still actively stealing your new passwords is worse.
What you don’t need to panic about
One thing worth saying plainly: Google, Apple, and Facebook were not freshly hacked here, despite some scary headlines. This was a pile of old and stolen credentials sitting on a poorly secured server, not a break-in at any single company. So no, you don’t need to delete all your accounts or throw your phone in a lake. You just need to close the doors that reused passwords leave open. Do the seven steps above and a leak like this becomes mostly noise for you.
If you’re newer to all of this and want to understand how these attacks actually work, our starting in cybersecurity section breaks the basics down without the jargon. And you can always find our latest guides over at FutureCybers.
Frequently asked questions
Was my password definitely in the 24 billion leaked records?
There’s no way to know for certain from the leak itself, but the safest assumption is yes, or that it soon will be. Check your email on Have I Been Pwned, and if you’ve reused passwords anywhere, change them now rather than waiting for proof.
Do I really need to change every single password?
Start with the accounts that matter most: email, banking, and anything storing your payment details. After that, a password manager makes it easy to replace the rest over time. The urgent fix is any password you’ve used in more than one place.
Is a hardware security key worth it for a regular person?
For your most sensitive accounts, yes. It’s the strongest protection against phishing and remote account takeover, since a hacker can’t log in without the physical key. Buy two, register both, and keep one as a backup so you’re never locked out.
Are password managers safe if they get breached too?
Reputable password managers use zero-knowledge encryption, so your vault is scrambled with a key only you hold. Even if their servers were breached, attackers would get encrypted gibberish without your master password. That’s far safer than reusing one password across dozens of sites.
FutureCybers is a participant in the Amazon Services LLC Associates Program. As an Amazon Associate we earn from qualifying purchases.