Security researcher Troy Hunt, the mind behind the widely used Have I Been Pwned (HIBP) service, recently received a staggering collection of 2 billion unique email addresses along with 1.3 billion unique passwords. This massive data trove was compiled from multiple malicious sources, including public leaks, internet scraping, and Telegram groups, and aggregated by security firm Synthient. Much like the previously reported 183 million compromised emails, these credentials were gathered via Infostealer malware and other collection methods, highlighting the ongoing scale of credential exposure online.
After careful processing, the data set now contains only unique email and password combinations, ensuring duplicates were removed. Hunt tested the accuracy of the data by checking his own old email addresses and found several linked passwords, though only one was currently active on his account. He also reached out to others who examined the dataset and confirmed a mix of both decades-old and recently used credentials. This illustrates the persistent risk: attackers don’t care how old the credentials are, as many people reuse passwords or rely on simple, predictable patterns, making them vulnerable to “credential stuffing” attacks.
To help users protect themselves, Hunt uploaded the exposed passwords to his Pwned Passwords database. Unlike email-focused checks, this database focuses solely on password security, allowing anyone to determine whether a particular password has appeared in prior breaches. Even if the password was linked to another account, its exposure renders it unsafe for continued use. Hunt advises all users to regularly check their email accounts and passwords, avoid reusing compromised credentials, and take proactive steps to strengthen account security. This latest dataset is a stark reminder of just how widespread and persistent password compromise remains in the digital age.
