According to Neowin, Have I Been Pwned has just processed and indexed the largest corpus of breached data in its history – the Synthient Credential Stuffing Threat Data. This massive batch contains nearly 2 billion email addresses and 1.3 billion passwords, with 625 million of those passwords being completely new to HIBP. Troy Hunt, who created the service, confirmed this data comes from credential stuffing lists that criminals compiled from prior breaches. The operation was so massive that it maxed out Azure SQL Hyperscale resources for two weeks and required sending notifications to 2.9 million affected subscribers. Despite online rumors, Gmail itself wasn’t breached – the 394 million Gmail addresses in the dataset come from other service breaches where people used their Gmail accounts.
<h2 id="what-this-means-for-you”>What this means for you
Here’s the thing – if your email shows up in this dataset, it doesn’t mean your current accounts are compromised. Basically, these are credentials that attackers have collected from various breaches over the years and are now using for credential stuffing attacks. That’s when they take known email/password combos and try them across different services. And guess what? Hunt verified that many of these passwords are still actively being used, including some that people confirmed were their current ones. Some passwords in this dataset are 10-20 years old, which shows how long this stuff can linger in criminal hands.
Check your exposure
So what should you do? First, check Have I Been Pwned to see if your email appears. But more importantly, check the Pwned Passwords service – they’ve added all these new passwords without any email association for security. You can search just your password to see if it’s in there. If it is? Don’t use it ever again. Password managers like 1Password’s Watchtower can automatically check this for you too. The scary part is that both weak AND strong passwords showed up in this dataset, so password strength alone isn’t enough protection anymore.
Why this is different
This isn’t a new breach – it’s essentially a massive compilation of existing breach data that criminals have been circulating. At almost three times the size of the previous largest dataset HIBP loaded, it represents the motherlode of credential stuffing lists. The technical challenge of processing 2 billion records was enormous – simple SQL update commands kept crashing, and they had to resort to batch processing. Even sending notifications had to be carefully controlled to avoid getting blacklisted by mail servers. This gives you some idea of the scale we’re talking about.
Real protection steps
Look, the advice here isn’t new, but it’s more urgent than ever. Get a password manager – most browsers like Chrome and Firefox have built-in ones that sync across devices. Use unique passwords for every service. Enable multi-factor authentication wherever possible. And consider moving to passkeys where available. The reality is that your credentials are probably already out there somewhere. The question isn’t if they’ll be used in an attack, but when. Your best defense is making sure that even if attackers have your password, they can’t actually get into your accounts.
