Massive Aggregation of Stolen Credentials Added to Have I Been Pwned
Have I Been Pwned (HIBP) has incorporated a new dataset containing 183 million unique stolen email and password pairs, sourced and aggregated by a U.S. college student known as Ben for the cybersecurity company Synthient. The dataset, totaling 23 billion rows and 3.5 terabytes, was compiled from infostealer malware logs, Telegram groups, Tor sites, and various underground forums, reflecting the industrial scale at which credentials are stolen, traded, and reused across the dark web. Security experts note that this aggregation highlights the persistent threat posed by credential theft, password reuse, and the automation of attacks, which collectively undermine digital trust and make traditional defenses less effective.
The Synthient dataset is notable for its breadth, as it combines real credentials captured from infostealer malware with credential stuffing lists, rather than being the result of a single breach. This collection process demonstrates how stolen credentials move through a digital supply chain, being shared, merged, and resold repeatedly. The exposure of such a vast number of credentials underscores the importance of maintaining visibility into leaked data, enforcing multi-factor authentication, and adopting stronger authentication practices to mitigate the risks associated with widespread credential compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Google disputes claims of a massive Gmail breach tied to the data
Google said reports framing the exposed records as a new large-scale Gmail data breach were false, clarifying that the credentials were aggregated from infostealer activity and other sources rather than a direct compromise of Google. The response helped reframe the incident as credential aggregation, not a single-platform breach.
Have I Been Pwned adds 183 million unique stolen credentials
Troy Hunt added 183 million unique email address and password pairs from the Synthient dataset to Have I Been Pwned. The update made the stolen credentials searchable for affected users and highlighted the scale of industrialized credential theft.
Synthient compiles a massive credential corpus from stealer logs and forums
A U.S. college student known as Ben, working for Synthient, assembled a dataset containing roughly 23 billion rows from infostealer malware logs, Telegram groups, and online forums. The collection represented aggregated stolen credentials from many sources rather than a single breach.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Your logins could be among 180M just added to Have I Been Pwned - how to check for free
zdnet.com
Open sourceGoogle disputes false claims of massive Gmail data breach
bleepingcomputer.com
Open sourceWeekly Update 475
troyhunt.com
Open source183 Million Synthient Stealer Credentials Added to Have I Been Pwned
hackread.com
Open sourceOver 180 million stolen credentials added to Have I Been Pwned
scworld.com
Open sourceInside the Synthient Threat Data
troyhunt.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Have I Been Pwned Adds Synthient Credential Stuffing Dataset
Have I Been Pwned (HIBP) has incorporated a massive dataset containing 1.96 billion unique email addresses and approximately 1.3 billion passwords into its breach notification platform. This dataset, known as the Synthient Credential Stuffing Threat Data, was aggregated by the threat intelligence firm Synthient from previously compromised credentials circulating on both clear and dark web forums. The data was not sourced from a single breach but compiled from multiple prior incidents, highlighting the ongoing risk posed by credential reuse and large-scale aggregation of stolen credentials. HIBP's addition of this dataset aims to alert users whose information may be at risk, emphasizing the importance of changing passwords, enabling two-factor authentication, and avoiding password reuse across platforms. The incident underscores the persistent threat of credential stuffing attacks, where cybercriminals use automated tools to exploit reused credentials and gain unauthorized access to accounts. The inclusion of this data in HIBP's database serves as a critical reminder for organizations and individuals to maintain strong password hygiene and remain vigilant against evolving cyber threats.
Mar 21, 2026
Massive Addition of Nearly 2 Billion Compromised Accounts to Have I Been Pwned
Have I Been Pwned (HIBP), the widely used data breach notification service, has indexed nearly 2 billion unique email addresses and 1.3 billion passwords from newly obtained datasets, marking the largest single update in the platform's history. The data, sourced in part from threat intelligence provider Synthient, includes both stealer log data—collected by malware from infected machines—and credential stuffing lists, which are typically compiled from previous breaches and used to facilitate unauthorized access to accounts across multiple services. This update brings the total number of accounts tracked by HIBP to over 15 billion, significantly expanding the visibility of exposed credentials for individuals and organizations. The newly indexed records include 183 million unique email addresses uploaded on October 21, as well as a much larger corpus totaling nearly 2 billion addresses and 1.3 billion passwords, 625 million of which were previously unseen. Users are encouraged to check their exposure using HIBP's free search tools and to take immediate action if their credentials are found, such as changing passwords and enabling multi-factor authentication. The scale and diversity of the data highlight the ongoing risks of password reuse and the importance of proactive credential management to mitigate the threat of account takeover attacks.
Mar 21, 2026
Massive Credential Exposure Reveals Billions of Stolen Login Records
Researchers and media reports disclosed enormous troves of exposed login data, including an unprotected 47.42 GB database containing **184,162,718** unique usernames and passwords tied to services such as Microsoft, Facebook, Google, Instagram, Snapchat, Discord, Netflix, PayPal, and government portals in 29 countries. Security researcher Jeremiah Fowler found the database on an unmanaged server with no password protection or encryption, and sample records included account types, website URLs, and plaintext passwords labeled `senha`. Fowler said multiple individuals confirmed the leaked credentials were genuine after he contacted them directly. The exposed records are believed to be linked to **infostealer malware** and broader malware-as-a-service collection operations, with subsequent reporting describing a far larger cache totaling **16 billion** credentials affecting major consumer platforms including Apple, Facebook, and Google. The disclosures raise immediate risks of credential stuffing, account takeover, phishing, fraud, and unauthorized access to corporate and government systems. Public access to the 184 million-record database was later restricted after responsible disclosure to the hosting provider, but the owner of the data remains unidentified.
May 25, 2026