Back to blog

Small Business Password Leaks in 2026: What the June HIBP Stealer Logs Mean for Your Team

56 million emails and 124 million passwords hit Have I Been Pwned in June 2026. What infostealer malware means for small business owners, and what to do.

On 15 June 2026, Troy Hunt added a new entry to Have I Been Pwned called "June 2026 Stealer Logs". The corpus contained 56.3 million unique email addresses and 124 million unique passwords. No company was breached. No vendor sent a notification. The credentials came off individual laptops and phones, one infected device at a time, and they were bundled together on Telegram and criminal forums before Troy pulled them into HIBP.

If you run a small business, this is the kind of headline that's easy to skim past. It doesn't name your industry. It doesn't warn you about a specific attacker. It just quietly adds another 124 million passwords to the pile, and roughly 86 percent of the emails were already in HIBP from earlier incidents. So it's tempting to assume nothing new is happening here.

But this dump is different from the corporate breaches you're used to reading about. It's not one company losing a database. It's the ongoing, industrial output of infostealer malware, and if any of your team have been quietly infected in the last twelve months, some of their saved passwords are in that file. This post walks through what actually happened, what stealer logs are, why they matter more for a five-person business than a Fortune 500, and what to do this week.

What Actually Happened in June 2026

Have I Been Pwned is the free service Troy Hunt built to help people check whether their email address has appeared in a known data breach. It has run for over a decade now and powers the "breached password" warnings you see in browsers, password managers, and enterprise identity tools.

On 15 June 2026, Hunt added the "June 2026 Stealer Logs" entry. The details, straight from the HIBP breach page:

  • 56,278,397 unique email addresses.
  • 124 million unique passwords added to Pwned Passwords.
  • Sourced from "hundreds of millions" of stealer log records, aggregated from Telegram channels and criminal forums.
  • Roughly 86 percent of the email addresses were already in HIBP from earlier breaches.

Two weeks later, on 28 June 2026, Hunt added a separate 2.69 million records from the Sysco breach after attackers followed through on their ransom deadline.

Neither entry involves a small business being breached directly. But the June stealer logs are the ones every owner should care about, because they didn't come from a company at all. They came from people's devices.

What Stealer Logs Are, and Why They Are Different From a Regular Breach

When a big-name company gets breached, the story is easy to tell. Attackers get into a database, they exfiltrate customer records, the company files a notification, and everyone affected gets an email that says "your data may have been involved". You know who lost your data. You know roughly what fields were in there. You can go change the password on that one service.

Stealer logs are the opposite of that story. They come from infostealer malware, small silent programs that sit on infected laptops and phones and quietly harvest whatever they can reach. That includes:

  • Every saved password in the browser.
  • Session cookies for services the user is already logged in to.
  • Cryptocurrency wallet files.
  • Autofill data (addresses, credit cards, phone numbers).
  • Recent browsing history and downloads.

The infection usually starts with something mundane. A staff member downloads what they think is a PDF reader, a cracked copy of a design tool, or a "free" font pack. They click through a fake browser update on a compromised website. They open an invoice attachment from a supplier that's already been hijacked. The malware installs quietly, grabs everything it can reach, sends it back to the operator, and often deletes itself.

The operator then sells or trades the log. It gets aggregated with other logs, repackaged, sold again, and eventually leaked into public channels. Months or years later, a slice of it turns up on HIBP.

Two things follow from this that matter for a small business owner.

First, the credentials are not tied to a single service. A regular data breach exposes your login for one company. An infostealer log exposes every password the user had saved in Chrome. That could be the accountant's Xero login, the owner's Microsoft 365 password, the office manager's Squarespace login, a personal banking password, a Shopify admin, and the family Netflix account, all in the same file.

Second, the log includes session cookies. This is the part most owners do not realise. A session cookie is the thing that keeps you logged in to a website after you have entered your password and completed MFA. If an attacker steals a valid session cookie for your Microsoft 365 account, they can log in as you without a password and without triggering an MFA prompt. Some cookies expire in an hour. Some last for weeks.

Why This Matters More for Small Businesses, Not Less

A 200-person company has a security team that watches for unusual sign-ins, revokes stale sessions, and rotates credentials on a schedule. A five-person marketing agency has none of that. The owner is also the IT lead, the finance lead, and the sales lead. When a staff member's home laptop gets infected, no one notices.

The math also works against small businesses in three ways.

One person is a bigger share of the surface. In a business of five, one compromised laptop is 20 percent of your entire environment. Whatever that person had access to (payment systems, email, the CRM, cloud storage, the domain registrar) is now potentially exposed.

Personal and business passwords blur. Small business owners and their teams reuse passwords across personal and work accounts far more often than corporate staff. So a personal Netflix password compromise can become a Microsoft 365 compromise, which can become a Xero compromise. Infostealer logs capture both worlds in the same file.

Detection is harder. A large company can cross-reference a HIBP alert against its employee directory and force password resets automatically. A five-person shop has to do that manually, if they think to check at all.

The Verizon 2026 Data Breach Investigations Report is worth quoting here. Credential abuse now shows up in 39 percent of breaches across the full attack chain, even though it dropped to 13 percent as the single initial access vector (down from 22 percent the year before) as attackers moved more toward exploited vulnerabilities. In plain English: stolen passwords are still one of the most common ways attackers land inside a business, they are just showing up a step or two into the attack instead of at the front door. Infostealer logs are the largest single feeder for those credentials, and it is the same pattern behind the breaches that hit one in four small businesses last year: a credential leaks, nobody notices, and the attacker walks in later.

What MFA Actually Stops, and What It Does Not

Multi-factor authentication is still one of the best controls you can have. It should be on every business account, without exception. But the credential leak story is a good reminder of what MFA does and does not do.

MFA stops an attacker who has your password but does not have your device or your token. Standard credential-stuffing (attackers trying stolen passwords across many sites) usually fails against MFA because the second factor is missing.

MFA does not stop:

  • Session cookie theft. The cookie was created after you passed MFA. An attacker replaying that cookie does not need to pass MFA again.
  • Real-time phishing kits. Tools like Evilginx and Tycoon 2FA sit in the middle between the user and the real login page, capture the password, capture the MFA code, and capture the resulting session cookie. The user thinks they logged in fine.
  • MFA fatigue and voice phishing. Attackers spam push notifications until the user approves one by accident, or call the user and impersonate IT to get them to read out a code.

Session cookies and phishing kits are what infostealer campaigns and adversary-in-the-middle attackers actually use in 2026. So MFA remains necessary, but it is not sufficient. You also need to be looking for signs the underlying credentials are already out there.

What To Do This Week

Not next quarter. This week.

Check your team's emails against HIBP. Go to haveibeenpwned.com and enter every work email in your business, including generic addresses like info@, accounts@, and admin@. The site will show you which breaches each address appears in. Pay particular attention to any entry labelled "Stealer Logs" or "Combolist", because those signal device-level infections rather than a specific company breach.

Force password resets on any Microsoft 365 or Google Workspace accounts that show up in stealer logs. Even if you do not know exactly which service leaked, assume the browser-saved credentials are compromised. Rotate the passwords, and while you are in there, revoke active sessions so any stolen cookies stop working. In Microsoft 365 that is under Users, then Sign in and security. In Google Workspace it is under the user's Security tab, then Sign out from all sessions. It is the same discipline that makes employee offboarding actually stick: access is only gone when the sessions are gone.

Turn on Pwned Passwords in your password manager. 1Password, Bitwarden, and Dashlane all support a Watchtower or Vault Health feature that checks your saved passwords against HIBP's Pwned Passwords list. If a password matches, you get a warning and can rotate it. This works because HIBP publishes the hashes for all 124 million passwords, so the check runs locally without sending your passwords anywhere.

Deploy a real endpoint tool on every work device. Windows Defender or the built-in macOS protection is a floor, not a ceiling. Managed endpoint detection tools (Microsoft Defender for Business, SentinelOne, CrowdStrike Falcon Go, or Sophos Intercept X) will catch most current infostealer families before they finish stealing. Even a basic Defender for Business seat is meaningfully better than nothing. Pair it with a regular patching rhythm so the malware cannot get in through a hole that was fixed months ago.

Tighten your browser policy. Set the browser to require sign-in for password autofill, block third-party extensions unless they are on an approved list, and turn on Enhanced Safe Browsing in Chrome or the equivalent in Edge. Most infostealer campaigns lean on drive-by downloads and rogue extensions, and these settings shut down the easy paths. Unvetted extensions are the same problem as shadow AI: tools your team adds with good intentions that quietly get access to everything.

Put a policy in writing for personal devices. If your team uses their own laptops or phones for work email, either move them to managed devices or require a password manager, MFA, and endpoint protection on the personal device before it touches business data. This is not a corporate policy exercise. It is simple risk math for a business where one household laptop can burn the whole company.

Getting Ongoing Visibility Over Credential Exposure

The steps above are the immediate work. The harder question is how you keep track of this month after month, so you are not doing an emergency check every time a new HIBP entry lands in the news.

Most small businesses either do not track credential exposure at all, or they track it in a spreadsheet that goes stale within a fortnight. Neither is good enough when new stealer logs are added to HIBP every month and Microsoft 365 sessions can live for weeks.

Vera is the dashboard we built for exactly this problem. It pulls in your team, checks every work email against HIBP, and flags any address that appears in a breach (including stealer logs) with the breach name, date, and severity. So instead of running through email addresses one by one every time a new entry lands, you see it on your dashboard the same day, next to the person it affects and the accounts you would need to rotate.

Vera also tracks your team directory, your hardware assets, and your software licences alongside the breach data. So when an alert lands, you already know who the person is, what they have access to, and what device they use. That is the piece most owners miss when they check HIBP once a year and forget about it.

The important thing is that someone at your business is checking, this week, and has a way to keep checking. If you are not sure where your setup stands overall, the free IT health checkup takes about five minutes and covers breach exposure alongside devices, software, and team access. The June 2026 stealer logs will not be the last. There will be another one in July, and another in August. The credentials that get harvested from your team's browsers today will show up on HIBP a year from now, if they have not already.

Get visibility over your credential exposure now, and you are ahead of nearly every small business in the country. If you want to see what that looks like on a dashboard instead of a spreadsheet, take a look at verait.io.