According to Neowin, Have I Been Pwned has just processed the largest corpus of breached data in its history, known as the Synthient Credential Stuffing Threat Data. The massive dataset contains nearly 2 billion email addresses and 1.3 billion passwords, with 625 million of those passwords being completely new to HIBP’s database. Troy Hunt, the service’s creator, confirmed this data comes from credential stuffing lists that criminals compiled from prior breaches. While Gmail addresses appear 394 million times in the dataset, Hunt emphasized this doesn’t represent a new Google security breach. The operation took two weeks and maxed out Azure SQL Hyperscale resources due to the sheer volume. HIBP has now added these passwords to its Pwned Passwords service and notified 2.9 million affected subscribers.
Sponsored content — provided for informational and promotional purposes.
What this means for you
Here’s the thing – this isn’t a new breach. Basically, criminals have been collecting login credentials from years of data breaches and compiling them into massive lists for credential stuffing attacks. And credential stuffing is exactly what it sounds like – attackers take these username/password combinations and try them across hundreds of sites, hoping you’ve reused passwords.
The scary part? When Hunt verified the data, many subscribers confirmed these were real passwords – including some they were still actively using. We’re talking passwords that range from recent ones to some that were 10-20 years old. So if you’ve been using the same password across multiple sites for years, there’s a good chance it’s in this dataset.
How to check and protect
First, go check HIBP’s Pwned Passwords service right now. The service lets you check passwords without associating them with your email address for security. Password managers like 1Password’s Watchtower feature also integrate this data. Found your password there? Don’t use it ever again. Seriously.
Hunt’s advice is what security experts have been saying for years, but now it’s more urgent than ever: get a password manager, use unique passwords for every site, enable multi-factor authentication, and consider moving to passkeys. Most browsers like Chrome and Firefox have built-in password managers that sync across devices – there’s really no excuse anymore.
The bigger picture
This dataset is almost three times larger than anything HIBP has processed before. Think about that for a second – we’re talking about technical challenges so massive that simple SQL update commands kept crashing, and sending notifications to 2.9 million people had to be carefully throttled to avoid getting blacklisted.
But here’s what really worries me – if this is what’s publicly available through legitimate services like HIBP, imagine what the actual criminals have access to. The underground markets for this data must be absolutely massive. And with AI making automated attacks even more efficient, the credential stuffing problem is only going to get worse before it gets better.
So yeah, this might feel like yet another security wake-up call. But this time, maybe actually listen to it. Your reused password from 2012 isn’t just your problem anymore – it’s in a database that criminals are actively using right now.
