Try our Password Generator Let's go
Security Alerts 10 min read

1.3 Billion Unique Passwords Exposed In Extensive Data Leak

Impact: HIGH User Risk: HIGH

Have I Been Pwned has processed the largest credential stuffing dataset in its history, containing 1,957,476,021 unique email addresses and 1.3 billion passwords—625 million of which have never been seen before. This is not a single data breach but an aggregation of credential stuffing lists compiled by cybercriminals from numerous breaches over many years. The data includes 394 million Gmail addresses (20% of the total), but this is not a Gmail-specific breach. Security expert Troy Hunt verified the authenticity by confirming with affected subscribers that many passwords in the dataset were actively in use, including simple 6-8 character passwords with predictable patterns. Users should immediately check if their credentials are exposed at HaveIBeenPwned.com, change compromised passwords, enable two-factor authentication on all accounts, and consider adopting passkeys for enhanced security.

Index

  1. Understanding the Scope of the Data Exposure
  2. The Origin of the Data and Synthient’s Role
  3. Data Verification: Real Passwords, Real Risks
  4. What Is Credential Stuffing and Why It Matters
  5. This Is NOT a Gmail Breach
  6. How to Check Your Exposure
  7. Steps to Protect Yourself Immediately
  8. The Technical Challenge Behind Processing 2 Billion Records

Understanding the Scope of the Data Exposure

The numbers are staggering and difficult to contextualize. Have I Been Pwned (HIBP), the widely-trusted breach notification service operated by security researcher Troy Hunt, has just processed its largest dataset ever: 1,957,476,021 unique email addresses and 1.3 billion unique passwords. Of those passwords, 625 million had never been seen in any previous breach indexed by the service.

This represents nearly three times the size of the previous largest breach HIBP had loaded. The scale is unprecedented, yet the numbers themselves risk creating confusion and panic if misunderstood. Unlike a single catastrophic security failure at one company, this data represents an aggregation of credential stuffing lists that cybercriminals have compiled, traded, and weaponized over many years.

The corpus spans 32 million different email domains, demonstrating the truly global nature of credential theft. This isn’t a targeted attack on one service or region—it’s a comprehensive look at how extensively user credentials have been compromised across the digital ecosystem.

The Origin of the Data and Synthient’s Role

The data comes from Synthient, a threat intelligence platform operated by college student Ben, who indexed credential stuffing records from numerous locations where cybercriminals had published them. Synthient then provided this data to Have I Been Pwned solely for the purpose of notifying victims.

It’s critical to understand that Synthient is not the source of the breaches—they are aggregators who collected this data from criminal forums and marketplaces where it was already being traded and used for malicious purposes. As Hunt emphasized, “He’s the good guy shining a light on the bad guys.”

Credential stuffing lists differ from stealer log data. Stealer logs come from malware running on infected machines that directly harvests credentials. Credential stuffing lists, in contrast, originate from other data breaches where email addresses and passwords were exposed, then bundled up, sold, redistributed, and used to attempt logins across multiple services.

The effectiveness of credential stuffing relies on a fundamental weakness in human behavior: password reuse. A breach of a cat forum can expose credentials that criminals then successfully use to access shopping accounts, social media profiles, and even email accounts. As Hunt noted, “A breach of a forum to comment on cats often exposes data that can then be used to log in to the victim’s shopping, social media and even email accounts.”

Data Verification: Real Passwords, Real Risks

Before making the data searchable, Hunt conducted extensive verification by reaching out to affected HIBP subscribers. The results were sobering. Multiple respondents confirmed that passwords in the dataset were not just old relics—they were actively in use on current accounts.

One subscriber confirmed that their password had been used recently and was still active on some accounts: “Yes and is still on some accounts I do not use any longer… Unfortunately, it is still on some active accounts that I have just made a list of to change or close immediately.” This 8-character password with uppercase, lowercase, numbers, and special characters would pass most password complexity requirements and wasn’t even in Pwned Passwords before this dataset.

Another respondent verified an old password they’d used for years: “#1 is an old password that I don’t use anymore. #2 is a more recent password.” The concerning detail? Password #2 was simply password #1 with two exclamation marks added at the end. This perfectly illustrates why password patterns are so dangerous—slight modifications don’t create security.

Several patterns emerged from the verification process:

  • Many passwords were 6-8 characters long, far below modern security standards
  • Simple modifications (adding numbers or punctuation) were common
  • Passwords from 10-20 years ago were still present in the dataset
  • Many previously unseen passwords were actively in use on current accounts
  • Some data showed IP addresses as passwords, suggesting automated or erroneous entries

What Is Credential Stuffing and Why It Matters

Credential stuffing is the automated injection of stolen username and password pairs into login forms to gain unauthorized access to user accounts. Criminals don’t need to hack into systems when they can simply log in with valid credentials.

The process works because of widespread password reuse. When you use the same password across multiple sites, a breach at one vulnerable service exposes your credentials for use everywhere. The credential stuffing lists in this dataset become what Hunt calls “the keys to the castle.”

These lists are continuously updated, traded on criminal marketplaces, and refined. Attackers use automated tools to test millions of credential combinations across thousands of websites simultaneously. When they find a match, they can:

  • Take over email accounts to reset passwords on other services
  • Access financial accounts to steal money or make fraudulent purchases
  • Compromise social media accounts for phishing or reputation damage
  • Steal personal information for identity theft
  • Use accounts as launching points for further attacks

The credential stuffing lists don’t just sit idle. They’re actively weaponized, which is why finding your credentials in this dataset should trigger immediate action, even if the original breach occurred years ago.

This Is NOT a Gmail Breach

Security headlines have a tendency to create panic through oversimplification, and this incident risks repeating the Gmail misreporting that occurred with stealer logs weeks earlier. Troy Hunt was explicit in his clarification: “This is not a Gmail breach.”

Gmail addresses represent 394 million of the nearly 2 billion email addresses in the dataset—approximately 20% of the total. Gmail isn’t overrepresented because of a Google security failure; it’s overrepresented because Gmail is the world’s largest email provider.

The remaining 80% of the data spans 32 million different email domains, from corporate accounts to small regional providers. There is no security vulnerability at Google, Microsoft, Yahoo, or any other email provider being exploited. The credentials exist in this dataset because they were exposed through breaches at third-party services, infected devices, or phishing attacks.

As Hunt stated, “The 20% of Gmail addresses have absolutely nothing to do with any sort of security vulnerability on Google’s behalf. There—now let reporting sanity prevail.”

This distinction matters because misdirected blame can cause people to change the wrong passwords or focus security efforts in the wrong places. The problem isn’t your email provider—it’s password reuse across multiple services and lack of additional authentication factors.

How to Check Your Exposure

Checking whether your credentials appear in this massive dataset is straightforward, anonymous, and free. Have I Been Pwned offers multiple methods depending on your technical comfort level and privacy concerns:

For Email Addresses: Visit HaveIBeenPwned.com and enter your email address. The service will show all known breaches associated with that address. The new dataset is listed as “Synthient Credential Stuffing Threat Data.”

For Passwords: The Pwned Passwords service allows you to check individual passwords anonymously. Importantly, HIBP never stores passwords linked to email addresses—they’re maintained in completely separate databases. This design prevents a breach of HIBP itself from exposing credential pairs.

Three approaches to check passwords:

  1. Pwned Passwords search page – Enter passwords directly into the web interface. Checking is performed in your browser, so HIBP never sees the full password.
  2. K-anonymity API – For technically-minded users, the API allows programmatic checking while maintaining complete anonymity through a clever hashing approach.
  3. Password Manager Integration – Tools like 1Password’s Watchtower automatically check all passwords in your vault against Pwned Passwords using the anonymity API.

HIBP subscribers (5.9 million accounts) are receiving direct notifications, though delivery is being spread over several days to avoid email deliverability issues. Of those subscribers, 2.9 million appear in this dataset and will receive breach notifications.

Steps to Protect Yourself Immediately

If your credentials appear in this dataset, taking immediate action is essential. The presence of your email and password in credential stuffing lists means criminals have access to that combination and are actively attempting to use it.

Immediate Actions:

  1. Change compromised passwords everywhere – If a password appears in Pwned Passwords, change it on every service where you’ve used it. Don’t just modify it slightly—create completely new passwords.
  2. Enable two-factor authentication (2FA) on all accounts – This is the single most effective defense against credential stuffing. Even if attackers have your password, they can’t access accounts protected by 2FA. Avoid SMS-based 2FA when other options exist; use authenticator apps instead.
  3. Adopt unique passwords for every account – Use a password manager to generate and store strong, unique passwords for each service. This breaks the credential stuffing chain—a breach at one service can’t compromise others.
  4. Implement passkeys where available – Google, Microsoft, Meta, Amazon, and Apple all support passkeys, which link account security to hardware authentication. Passkeys can’t be stolen through breaches or phishing because they never leave your device.
  5. Monitor for suspicious activity – Review recent login activity on critical accounts (email, banking, social media) and enable login alerts where available.

Long-Term Security Practices:

  • Never reuse passwords across multiple services
  • Use password managers to maintain complex, unique credentials
  • Enable 2FA universally, not just on “important” accounts
  • Replace old, weak passwords proactively
  • Consider security keys (like YubiKey) for high-value accounts
  • Stay informed about breaches affecting services you use

As Forbes security analyst Zak Doffman noted, “You’re not going to win this game of cat and mouse with the credential theft industry… But almost all tier-1 websites and platforms now give you tools to stay safe.”

The Technical Challenge Behind Processing 2 Billion Records

The scale of this dataset created unprecedented technical challenges for Have I Been Pwned. Processing nearly 2 billion email addresses and 1.3 billion passwords while maintaining service for millions of daily visitors required pushing cloud infrastructure to its limits.

HIBP runs on Azure SQL Hyperscale, which was maxed out at 80 cores for nearly two weeks during the data processing. Simple operations that would normally take seconds or minutes stretched into days. Creating SHA1 hashes of email addresses—typically a straightforward update query—crashed completely and had to be rebuilt as an insert operation instead.

Batch processing became necessary, with operations broken into 1-million-record chunks to avoid timeouts and provide progress tracking. Some update operations ran for more than a day before being killed with no end in sight, requiring completely different approaches.

The notification challenge was equally complex. With 2.9 million affected subscribers, sending emails immediately would trigger spam filters and throttling at receiving servers. Hunt implemented a graduated delivery schedule, increasing volume by 1.015 times per hour—roughly 45% daily growth—to maintain sender reputation while getting notifications out.

Response sizes for the Pwned Passwords API increased by approximately 50%, from 26KB to 40KB on average per hash range. Services integrating Pwned Passwords need to ensure they’re using brotli compression to manage the larger payloads efficiently.

The financial cost was significant, though Hunt didn’t disclose exact figures. The effort required weeks of intensive work, substantial cloud computing costs, and careful technical optimization to make 2 billion records searchable without degrading service performance.

Sources

Leave a Reply

Your email address will not be published. Required fields are marked *