Share
DATA BREACH SCAMS

The 24-billion-record breach "check if you are affected" text is the scam

A real data dump made headlines this month. The "click here to see if your data leaked" message that followed it is phishing built on top of the news.

SafeBrowz Threat Research Security ResearchJune 18, 20269 min read

Story in three sentences

Verdict: scam. A real ~24-billion-record credential dump was reported by Cybernews on June 12, 2026, and scammers immediately started sending texts and emails saying "your data was exposed, check if you are affected" with a link to a fake breach checker or a fake login or password-reset page. Those pages exist only to harvest the username and password you type, which is doubly dangerous here because this leak maps stolen credentials to the exact sites they unlock. Never check your breach status or reset a password through a link in a message: check only at the real haveibeenpwned.com that you type yourself, then change passwords by going to each site directly and turn on 2FA or a passkey.

What actually happened, and what the scammers are exploiting

On June 12, 2026, Cybernews reported the discovery of one of the largest credential collections ever assembled: roughly 24 billion login records sitting in exposed datasets, much of it pulled together from infostealer malware logs and earlier breaches rather than a single fresh hack of one company. Security press including Malwarebytes covered the same finding that week, with practical guidance under the headline "24 billion stolen records exposed online. Here's what to do."

The number is real, and the underlying risk is real. The dangerous part for ordinary people is not the headline though. It is what comes next. Within hours of a breach making the news, criminals send out a wave of "breach notification" texts and emails. They are betting that the headline scared you, that you now want to know whether you are affected, and that you will tap whatever link promises to tell you. The breach is the bait. The link is the trap.

This particular leak makes the lures more convincing than usual. Infostealer logs do not just list emails and passwords in a vacuum. They record the exact site each credential was captured on, so a record reads as your email, your password, and the login page it belongs to, all together. That mapping fuels precise, targeted credential stuffing and lets a scammer craft a message that names a real service you actually use. A generic "you have been breached" note is easy to ignore. A note that says "your password for your bank login was found in the leak" lands much harder, even when it is a guess.

What the scam message looks like

The wording rotates, but the structure is stable: a scary headline reference, a personal-sounding claim, and a single link with a countdown. A few real-world patterns:

  • "Security Alert: your email was found in the 24-billion-record data breach. Check which of your accounts are exposed now: [link]"
  • "We detected your password in a recent leak affecting 24 billion records. Reset it within 24 hours to avoid account lockout: [link]"
  • "[Bank / email provider] notice: your login appeared in the breach dump. Verify your identity to secure your account: [link]"

The link goes to one of two destinations. The first is a fake "breach checker" that asks you to enter your email and password "to scan the database," which is simply a credential-harvesting form wearing a security costume. A real breach checker never needs your password to tell you if your email appeared in a leak. The second is a fake login or password-reset page that imitates a brand you use, captures whatever you type, and often forwards you to the real site afterward so nothing feels wrong. Either way, you have just handed your working credentials straight to the people who will use them.

What the fake links look like (illustrative)

The destinations are engineered to look official at a glance and to load fast on a phone. They lean on free hosting platforms that hand out a trustworthy-looking subdomain to anyone for free, with no relationship to the brand being imitated. The examples below are illustrative lookalikes built on free hosting, of the kind these waves use. Tap or press one to run it through the live checker below:

  • breach-check-2026.vercel.app
  • databreach-lookup.pages.dev
  • secure-passwordreset.netlify.app

Notice the trap. A subdomain on vercel.app, pages.dev, or netlify.app is not a verified company. Those are developer hosting platforms, and anyone can publish anything on a free subdomain there in minutes, including a pixel-perfect clone of a login page. The real breach-lookup tool the security community uses is haveibeenpwned.com, run by security researcher Troy Hunt, and it lives at its own root domain. It will never message you out of the blue, and it never asks for your password.

๐Ÿ›ก LIVE CHECK

Paste a "breach checker" or "reset your password" link here first

Got a text or email about the data breach? Paste the link below before you tap it. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.

Full scan with deep AI analysis โ†’ ยท No URL is logged to your identity.

Red flags that give it away every time

You do not need to know whether you were in this leak to spot the scam around it. The tells are structural.

  • It came to you. A legitimate breach check is something you go and do, on a site you typed yourself. A breach notice that arrives unsolicited by text or email and pushes you to a link is the scam pattern, not the safety pattern.
  • It asks for your password. No real breach checker needs your password to tell you if your email was in a leak. The moment a "checker" wants a password, it is a harvesting form. This single tell is conclusive.
  • There is a countdown. "Within 24 hours," "before your account is locked," "act now." Real security guidance tells you to change passwords promptly, never to race a timer on a stranger's link. Urgency is the lever.
  • The link is not the brand's real domain. A login or reset page hosted on a free vercel.app, pages.dev, netlify.app, web.app, or github.io subdomain is not your bank, your email provider, or any breach service. The real domain is the part right before the first single slash after https://; everything else is dressing.
  • It names a service to feel personal. Because infostealer data maps credentials to sites, a message may reference a real service you use. That specificity is a tactic, not proof. The data could equally be guessed or scraped.
  • It rushes you past verification. The message wants you to click and type before you stop to type the address yourself. Slowing down defeats the entire attack.

The one safe way to check if you are affected

There is a correct answer to "how do I know if my data leaked," and it never involves a link someone sent you.

  1. Open a new tab and type haveibeenpwned.com yourself. Enter only your email address. The site tells you which known breaches your address appeared in. It does not ask for a password, ever. If a "breach checker" asks for one, you are not on the real site.
  2. Change passwords by going to each site directly. Do not use a reset link from a message. Open your bank, email, or other account by typing its address or using a saved bookmark, then change the password from inside the account. Reuse is the real danger: if the leaked password was reused anywhere, every site sharing it is exposed.
  3. Use a unique password per site, ideally from a password manager. A manager generates and stores a different strong password for every account, so one leak cannot unlock the next account.
  4. Turn on 2FA, and prefer a passkey or an authenticator app over SMS. Even if your password is in the dump, a second factor stops the login. Passkeys and app-based codes resist phishing far better than text-message codes. Our guide to why authenticator-app 2FA beats SMS covers the upgrade.

Why this wave is more dangerous than a normal phishing text

Most phishing leans entirely on emotion. This wave gets to lean on a real, verifiable news story, which makes the bait far stickier. When you can confirm the breach is real with a five-second search, the follow-on message borrows that credibility, and your guard drops at exactly the moment it should go up.

The credential mapping compounds it. Because the underlying data ties each stolen password to the specific login page it unlocks, the criminals running this are not guessing blindly. They can run automated credential stuffing against the real sites, and they can write lures that reference services you genuinely use. That is why the right defensive instinct is not "is the breach real" (it is) but "did this specific message reach me, and is the link real" (almost always no). The breach being real does not make the text real.

How this fits the broader breach-notification scam pattern

Fake breach notices are a recurring genre, not a one-off. Every time a large leak hits the news, a matching scam wave follows within hours, because the news does the scammer's persuasion for them. The brand on the lure changes (a retailer, a telecom, a bank, a "national database"), but the mechanic is identical: a scary headline reference, a personal-sounding claim, and a single link to a page that harvests what you type. Recognizing the shape means you are protected against the next one too, whatever breach it rides on. If you are unsure whether any given site is genuine, our walkthrough on how to tell if a website is a scam gives you a repeatable check.

What SafeBrowz sees on the network

When the SafeBrowz engine examines a fake breach-checker or reset page from this wave, the attack structure is consistent enough to read across all three detection layers.

First, the host is almost always free hosting or a brand-new domain. The destination is typically a free subdomain (vercel.app, pages.dev, netlify.app, github.io) or a domain registered within the last few days. No real bank, email provider, or established breach service publishes its login on a free developer subdomain, so the free-host signal alone flags a large share before any content loads.

Second, the page is a credential form wearing a security costume. A "scan the breach database" or "verify your identity" headline served alongside a username-and-password form, on a non-brand host, is a textbook harvesting profile. A real breach lookup asks for an email only and never a password, so a password field on a "checker" is itself the signal.

Third, the page behaves like a clone. It often imitates a known brand's login styling, renders the form before any readable "official" text, and forwards you to the real site after submission to hide that anything happened. Content-level analysis catches the brand impersonation even when the domain is brand new and absent from every blocklist.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) + community whitelist/blacklist, all running directly in the extension before the page renders. It catches brand-login keywords on free-hosting and non-brand hosts, cheap-TLD abuse, and "reset-password" redirect families instantly.
  • Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, plus domain-age lookup (most breach-lure destinations are less than 30 days old) and 30+ scam TLDs.
  • Layer 3 - AI deep scan: content-aware brand-impersonation analysis in 100+ languages catches a brand-new lookalike login or fake breach checker that no blocklist has seen yet.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

For people who do not want to install anything, the same engine powers the free public URL checker. Paste any breach-checker or reset link from a suspicious message and get a verdict in seconds.

What to do right now

If a "your data leaked, check if affected" message just landed, here is the whole correct response.

  1. Do not tap the link. Not even to "just look." The page is the entire attack surface.
  2. Check the real way. Open a new tab, type haveibeenpwned.com yourself, and enter only your email. No password, ever.
  3. Change reused passwords from inside each account. Go to the site directly, not through any link in the message. Give each account a unique password.
  4. Turn on 2FA, prefer a passkey or authenticator app. A second factor stops a login even when the password is leaked.
  5. Report it. File with the FTC at reportfraud.ftc.gov and with the FBI's Internet Crime Complaint Center at ic3.gov. Forward smishing texts to 7726 (SPAM). Then delete the message.

If you already entered a password on a fake checker or reset page, treat that password as compromised. Change it immediately on the real site and anywhere you reused it, turn on 2FA, and watch for unfamiliar logins. If you entered card or banking details, call your bank using the number on the back of your card and freeze the card in your banking app. Our full "I got scammed, what do I do now" walkthrough covers the first-hour playbook in detail.

Frequently asked questions

Is the 24-billion-record data breach real?

The breach finding is real. Cybernews reported on June 12, 2026 that roughly 24 billion login records were found exposed, much of it aggregated from infostealer malware logs and prior breaches rather than a single new hack. What is not real is the wave of texts and emails saying "click here to check if you are affected." Those messages are phishing built on top of the genuine news.

How do I safely check if my data was leaked?

Open a new browser tab, type haveibeenpwned.com yourself, and enter only your email address. The site tells you which known breaches your email appeared in and never asks for your password. Do not use any breach checker that a text or email links you to, and never enter a password into a "checker."

The text named a service I actually use. Doesn't that prove it is real?

No. This leak maps stolen credentials to the exact sites they were captured on, so scammers can reference a real service to sound convincing, and they also simply guess common services. Specificity is a tactic, not proof. Verify only by typing the site's address yourself, never through the link in the message.

Should I reset my password using the link in the breach email?

No. A reset link in an unsolicited message often leads to a fake login page that captures whatever you type. Change passwords by going to each site directly, typing the address or using a saved bookmark, and resetting from inside your account. Use a unique password per site and turn on 2FA.

What is the difference between a fake breach checker and the real one?

The real lookup at haveibeenpwned.com asks for your email only and lives at its own root domain. A fake checker asks for your email and your password "to scan the database," and is usually hosted on a free subdomain like vercel.app, pages.dev, or netlify.app. A password field on a breach checker is the giveaway: the real one never needs it.

I already typed my password into one of these pages. What now?

Treat that password as compromised. Change it immediately on the real site and on every other site where you reused it, then turn on 2FA, ideally a passkey or an authenticator app. Watch for unfamiliar login alerts. If you also entered card details, call your bank using the number on your card and freeze the card in your banking app.

How do I report a fake breach notification?

Forward smishing texts to 7726 (SPAM) to flag them with your carrier. File a report with the FTC at reportfraud.ftc.gov and with the FBI's Internet Crime Complaint Center at ic3.gov, including the sender, the link, and a screenshot. Then delete the message.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge

Related reading