Skip to main content

26 million stolen passwords found online — see if you're affected

stolen passwords
(Image credit: Shutterstock)

About 1.2 terabytes of data stolen from 3.2 million infected Windows PCs was found online by researchers, Lithuanian privacy-service-provider NordLocker said in a blog post and report yesterday (June 9).

The data contained 26 million sets of login credentials (email addresses and passwords) for Amazon, Apple, eBay, Facebook, Google, Instagram, Netflix, Paypal, Roblox, Steam, Twitch, Twitter and other widely used services. 

There were 1.1 million unique email addresses in these stolen credentials, and you can go to HaveIBeenPwned.com to see if your email address is among them.

There were also 2 billion session cookies, strings of data that live in your browser and keep you logged into online services for weeks or months at a time, even if your computer is rebooted. 

About 22 percent of the session cookies were still valid, meaning that anyone could have used them to break into online accounts and read email, play games, make Facebook posts or check the amount of money in bank accounts.

"Even though hackers won't be able to empty your bank account with the cookies stolen from your online banking session, they can learn your bank's name and timestamps of your transactions," said Oliver Noble, a security expert with NordLocker.

The cloud-storage provider hosting the stolen data was notified of the database's contents, and the data has been taken offline.

Beware the browser password manager

Much of the data was stolen from web browsers that saved users' passwords. While may be convenient to let your browser save your passwords and then automatically fill them in when necessary, it's safer to use one of the best password managers because it can't be hacked as easily as a browser.

"This piece of data should be very alarming to people who use the autofill feature in their browser," Noble said. "Although this functionality is very convenient and saves time, it comes with great security risks as it's not malware-proof."

The data appears to have been stolen by an unnamed Trojan that was embedded in "cracked" versions of Photoshop and games available online. Once on a PC, the malware pilfered browser data, searched the users' Downloads and Documents folders, took screenshots and even used a PC's webcam, if there was one, to take pictures of the user.

About 1 million images, 3 million text files (many of them system logs) and 650,000 Word and PDF files were also part of the haul, NordLocker said. Each infected PC was assigned a unique ID so that the stolen data could be better sorted and catalogued.

Judging by the screenshots, the researchers — NordLocker wouldn't say who they work for — figured the information-stealing campaign was active between 2018 and 2020.

To make sure you don't fall victim to this kind of attack, use some of the best Windows 10 antivirus software to stop malware before can infect your PC. Don't download cracked software or product-license key generators. 

Log out of Facebook, Gmail, Twitter and other services every few weeks to clear your session cookies and start afresh. And, as mentioned above, use a stand-alone password manager rather your browser to save your passwords.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.