Massive Addition of Nearly 2 Billion Compromised Accounts to Have I Been Pwned
Have I Been Pwned (HIBP), the widely used data breach notification service, has indexed nearly 2 billion unique email addresses and 1.3 billion passwords from newly obtained datasets, marking the largest single update in the platform's history. The data, sourced in part from threat intelligence provider Synthient, includes both stealer log data—collected by malware from infected machines—and credential stuffing lists, which are typically compiled from previous breaches and used to facilitate unauthorized access to accounts across multiple services. This update brings the total number of accounts tracked by HIBP to over 15 billion, significantly expanding the visibility of exposed credentials for individuals and organizations.
The newly indexed records include 183 million unique email addresses uploaded on October 21, as well as a much larger corpus totaling nearly 2 billion addresses and 1.3 billion passwords, 625 million of which were previously unseen. Users are encouraged to check their exposure using HIBP's free search tools and to take immediate action if their credentials are found, such as changing passwords and enabling multi-factor authentication. The scale and diversity of the data highlight the ongoing risks of password reuse and the importance of proactive credential management to mitigate the threat of account takeover attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
HIBP publishes breach record for Synthient credential-stuffing data
Have I Been Pwned later published a dedicated breach entry for the Synthient Credential Stuffing Threat Data, describing the source and nature of the aggregated exposure. The listing states the data was collected during 2025 from multiple malicious sources and used in credential-stuffing activity.
Have I Been Pwned indexes the Synthient credential-stuffing dataset
Have I Been Pwned announced it had indexed the Synthient dataset, making 2 billion exposed email addresses searchable and adding 1.3 billion passwords to Pwned Passwords. The partnership was presented as a way to turn threat-intelligence data into public awareness so people could check whether they were exposed.
Synthient aggregates 2 billion emails from credential-stuffing lists
During 2025, threat-intelligence firm Synthient collected and aggregated 2 billion unique email addresses and 1.3 billion unique passwords from credential-stuffing lists gathered across multiple malicious online sources. The data consisted of email and password pairs originating from prior breaches and reused by attackers to target unrelated accounts.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Have I Been Pwned Adds Synthient Credential Stuffing Dataset
Have I Been Pwned (HIBP) has incorporated a massive dataset containing 1.96 billion unique email addresses and approximately 1.3 billion passwords into its breach notification platform. This dataset, known as the Synthient Credential Stuffing Threat Data, was aggregated by the threat intelligence firm Synthient from previously compromised credentials circulating on both clear and dark web forums. The data was not sourced from a single breach but compiled from multiple prior incidents, highlighting the ongoing risk posed by credential reuse and large-scale aggregation of stolen credentials. HIBP's addition of this dataset aims to alert users whose information may be at risk, emphasizing the importance of changing passwords, enabling two-factor authentication, and avoiding password reuse across platforms. The incident underscores the persistent threat of credential stuffing attacks, where cybercriminals use automated tools to exploit reused credentials and gain unauthorized access to accounts. The inclusion of this data in HIBP's database serves as a critical reminder for organizations and individuals to maintain strong password hygiene and remain vigilant against evolving cyber threats.
Mar 21, 2026
Massive Aggregation of Stolen Credentials Added to Have I Been Pwned
Have I Been Pwned (HIBP) has incorporated a new dataset containing 183 million unique stolen email and password pairs, sourced and aggregated by a U.S. college student known as Ben for the cybersecurity company Synthient. The dataset, totaling 23 billion rows and 3.5 terabytes, was compiled from infostealer malware logs, Telegram groups, Tor sites, and various underground forums, reflecting the industrial scale at which credentials are stolen, traded, and reused across the dark web. Security experts note that this aggregation highlights the persistent threat posed by credential theft, password reuse, and the automation of attacks, which collectively undermine digital trust and make traditional defenses less effective. The Synthient dataset is notable for its breadth, as it combines real credentials captured from infostealer malware with credential stuffing lists, rather than being the result of a single breach. This collection process demonstrates how stolen credentials move through a digital supply chain, being shared, merged, and resold repeatedly. The exposure of such a vast number of credentials underscores the importance of maintaining visibility into leaked data, enforcing multi-factor authentication, and adopting stronger authentication practices to mitigate the risks associated with widespread credential compromise.
Mar 21, 2026
Have I Been Pwned Adds Unverified Speedio and Pemiblanc Breach Listings
Have I Been Pwned added breach entries for **Speedio** and **Pemiblanc** and labeled both incidents as **unverified**, indicating that some of the exposed records may be legitimate but the full datasets could not be authenticated beyond reasonable doubt. The listings were nevertheless published because they may contain personal information that affected individuals would want to know is circulating online. The disclosures reflect HIBP's practice of retaining alleged breaches when there is evidence of real personal data exposure even if the broader incident cannot be conclusively validated. For defenders and privacy teams, the entries signal potential exposure tied to the two services and warrant user notification, credential hygiene checks, and monitoring for follow-on abuse involving leaked personal data.
Mar 27, 2026